Professional Documents
Culture Documents
BRKSEC-3121 Read It
BRKSEC-3121 Read It
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-3121
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda • FTD Architecture Overview and Update
• Jumbo flow handling
• Policy Apply and Snort Restarts
• Management Architecture
• Flex Configs and Use Cases
• TLS Decryption
• Deployments
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Firepower Threat Defence:
Architecture Overview and
Update
FTD Overview
PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X …… R
X
T
X
Config
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA) …… Data Plane
(ASA)
User Identity Dispatcher
RAM
Eventing
Deployment ……
and
Manager
Reporting
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
FTD CPU Core Allocation
• Firepower uses Hyper Threading to double logical cores on x86
• Firepower 2100 runs Data Plane on dedicated NPU, Snort on x86
• Firepower 4100/9300 split cores between System, Data Plane, and Snort
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
FTD Management Interface
SFtunnel between
FMC/FTD is
terminated on br1 ‘show network’
• As of 6.3, syslog can now be sent using any interface (mgmt. or data) even
messages from Lina that used to require the diagnostic interface
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
REFERENCE
ONLY
FTD Management Interface
• FTD br1 vs diagnostic sub-interface comparison
br1 diagnostic
Purpose • Used in order to assign the FTD IP that will be • Provides remote access to ASA engine CLI
used for FTD/FMC communication (SFtunnel) • Used as a source for ASA syslog, AAA messages etc.
• Provides SSH access to the FTD box
Mandatory Yes, since it is used for FTD/FMC communication No and it is actually not recommended to configure it.
(SFtunnel terminates on it) The recommendation is to use a data interface instead*
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
FTD Configuration
Advanced Inspections Plane
Snort Snort Snort Snort Snort Snort Snort Snort …… Snort
PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X …… R
X
T
X
Config
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA) …… Data Plane
(ASA)
User Identity
Dispatcher RAM
FMC
SF Tunnel
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
FTD Packet Flow Overview
Advanced Inspections Plane
Snort Snort Snort Snort Snort Snort Snort Snort …… Snort
PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X …… R
X
T
X
5
System Processes 4
RAM FTD Data-Plane
Other processes 3
Config
…… Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA) …… Data Plane
(ASA)
User Identity
Dispatcher
7
1
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
REFERENCE
ONLY
Modifications to ASA Based Data-Plane
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
FTD Packet Processing – The Big Picture
1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict for the packet
4. The ASA engine drops or forwards the packet based on Snort’s verdict
• Snort engine runs 6.x code
• ASA engine runs 9.X.x code
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Prefilter Policy
• First access control phase in Data Plane (Lina) for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyse: Pass for evaluation in Main AP, optionally assign tunnel zone
• Non-NGFW traffic match criteria
• Cannot copy/migrate directly to Main AP
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Flow Offload
• Programmable Smart NIC on Firepower 4100 and 9300 only
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Flow Offload Operation
Full Inspection
• Dynamically program Offload engine after flow establishment
• Ability to switch between Offload and full inspection on the fly
Security Module
x86 CPU Complex
Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC
Flow Offload
• Limited state tracking, NAT/PAT, TCP Seq Randomisation
• 30-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 2M tracked flows
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Main Access Policy
• Second (last) access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules
• Full NGFW traffic selection criteria
• Decisions may need multiple packets
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Unified Access Control Policy
Policy L3/L4 L3/L4 L7 fields Action File, IPS policies
ID Source Destination
R1 S1 D1 Trust
R2 S2 D2 Deny Log
R1 S1 D1 Trust
R3 … App=Google+ Permit IPS-1, File-1
R2 S2 D2 Deny, Log
R4 … URL=Games Warn File-2
R3 S3 D3 Permit
R5 … Permit IPS-2
R4 S4 D4 Permit
R5 S5 D5 Permit
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
REFERENCE
ONLY
FTD Packet Processing: Detailed
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
REFERENCE
ONLY
FTD Packet Path in Routed Mode
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FTD Deployment and Interface Modes
2 Deployment Modes:
• Routed
• Transparent } Device Modes inherited from ASA
6 Interface Modes
• Routed
• Switched (BVI)
} Interface Modes inherited from ASA
}
• Passive
• Passive (ERSPAN)
• Inline pair Interface Modes inherited from FirePOWER
• Inline pair with tap
• Note - interface modes can be mixed on a single FTD device (routed or switched are available based on device mode)
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Interface Modes - Summary
FTD interface mode FTD Deployment Description Real traffic can be
mode dropped
Full ASA and Snort
Routed Routed Yes
checks
Full ASA and Snort
Switched Transparent Yes
checks
Partial ASA and full
Inline Pair Routed or Transparent Yes
Snort checks
Routed or Transparent Partial ASA and full
Inline Pair with Tap No
Snort checks
Routed or Transparent Partial ASA and full
Passive No
Snort checks
Partial ASA and full
Passive (ERSPAN) Routed No
Snort checks
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Management options for Cisco NGFW
Cisco Firepower Cisco Cisco Firepower
Device Manager Defence Orchestrator Management Centre
(FDM) (CDO) (FMC)
On-box manager Cloud Based Centralised Manager
Available on 5500-X, 2100, and
FTDv
Manage across many sites Control access and set policies Investigate incidents Prioritise response
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
REFERENCE
FMC Management Architecture ONLY
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower Device Manager (FDM)
Set up easily Control access and set policies Investigate incidents Prioritise response
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
New for 6.3
FTD Multi-Instance
Demo (Start)
Firepower 6.3
Platform Capabilities Operations Visibility & Security
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Multi-Instance in FTD 6.3:
A new and better way
New in 6.3
FTD
FTD Instance A FTD Instance C FTD Instance D ASA Instance A (Future)
Instance B
10 CPU 6 CPU 18 CPU 12 CPU 12 CPU
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
FTD Multi-Instance DC Use case
• Complete separation of security services protecting DC apps
• Dev and QA firewalls can overload/go offline/upgrade with out any effect on
Production or Finance/HR instances
Production
Finance/HR
FTD Instance
Development
18 CPU FTD Instance
FTD Instance Testing/QA 12 CPU
10 CPU FTD Instance
6 CPU Free cores to (re)allocate
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco NGFW Per-Instance Policy in FMC 6.3
One access
control policy per
instance
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Native Multi-context vs Multi-instance
Why did we choose multi-instance?
Benefits FTD Multi- ASA Multi-
Instance context • Simplify Engineering development
Allows tenant • Improved feature velocity
management ✓ ✕
separation • Separation of “FTD” instances
• Full tenant separation (Mgmt & Traffic)
Supports new
• Fault level isolation
features as they ✓ ✕
come out • Pre-defined and dedicated resources
• Each instance can run different
Allows individual
✓ ✕ versions of software
tenant failure
Independent • Simplified deployment and
✓ ✕
software versions operational management
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Multi-Instance Scalability by Platform
• Complete separation of resources that
Maximum FTD
are assigned at boot up currently Platform
Instances
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
FTD Multi-Instance
Demo
Firepower 6.4
and FXOS 2.6.1
(in Beta)
New Features in 6.4 release (FXOS 2.6)
• FXOS 2.6.1 Mixed Blade Deployment
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
ASA and FTD on same 9300 Chassis
• Run native mode ASA on one blade and FTD in
either native or container instances on other
Firepower 9300 Chassis
blades!
Security Module 1: ASA Native
• Available with
• FXOS 2.6.1
• FTD 6.4 Security Module 2: FTD Native
• ASA 9.12.1
• Not supported with clustering in this release
Security Module 3: FTD Instances
Instance 1 Instance 2 Instance 3
Security
Performance
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Jumbo or Elephant Flow Problem
PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings PDTS Rings
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X
R
X
T
X …… R
X
T
X
5
System Processes 4
RAM FTD Data-Plane
Other processes 3
Config
…… Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA)
Data Plane
(ASA) …… Data Plane
(ASA)
User Identity
Dispatcher
7
1
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Managing Single-Flow Throughput
• Roughly calculated as overall throughput divided by Snort cores
• 53Gbps of 1024-byte AVC+IPS on SM44 / 48 Snort cores = ~1.1Gbps
• Similar on most high-end ASA, FirePOWER, and Firepower platforms
• Reducing impact on all flows from few superflows is more important
• “What does your security policy tell you to do?” Ideally, NGFW performance capacity must
not dictate your security policy
• Flow Offload is the right tool, Intelligent Application Bypass (IAB) isn’t
• Testing if a solution implicitly offloads is easy
• Transfer multiple benign and malicious files over a single SMB session
• Use HTTP pipelining to service multiple requests over one TCP connection
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Solutions
• Bypass snort inspection for trusted flows using pre-filter policies (Flow offload)
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
REFERENCE
ONLY
Intelligent Application Bypass
• Goal is to offload trusted traffic from Snort when specific Snort instances are under
performance duress
• Target flows are identified via the 'App Id' flow labeling aspect of the Network Discovery
Policy
• Application Identification MUST be enabled in the Network Discovery Policy for IAB to act on
flows
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
REFERENCE
ONLY
Performance Parameters Monitored
• Drops, Processor, Latency & Rate
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
When is a Flow Offloaded?
REFERENCE
ONLY
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
REFERENCE
ONLY
IAB States
• OFF - Disable IAB
• TEST - IAB performs Snort Performance, locates candidate flows to be
bypassed. But only labels these candidate flows and does not actually enact
the fast-path operation
• ON - Perform and analysis and potential fast-path operations.
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Other (Better!) Solution Options
• Pre-filter policies and Flow Offload
• If trusted elephant flows (like backup connections) are present, offload them to the hardware
on 4100/9300 or bypass advanced inspections by configuring pre-filter policies or trust rules
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Policy Apply and Snort
Restart
Customer Use Case
• The Problem
• Snort may restart when policy changes are applied
• Snort restart may lead to packet drop
• The solution
• Reduce cases where Snort restarts on policy apply
• Reduce impact of Snort restarts
• Provide warnings if policy modifications will result in Snort restart
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Origin of Policy Apply Challenge
• Firepower evolved as an IDS/IPS solution
• Like other IDS/IPS solutions, Firepower could “fail open” if Snort
was temporarily down
• Note that for
NGIPS (inline pairs),
packet drop can
be avoided by
using the Snort
Fail Open feature
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Policy Apply Improvements
• Enhancements in 6.2.2
• Accelerate Policy Apply
• Eliminate most cases of snort restart due to Snort reconfiguration
• Eliminate most cases of snort restart due to Snort memory re-allocation
• Enhancements in 6.2.3
• Warning on policy apply will cause Snort restart
• Snort preserve connection feature added
• Enhancements in 6.3
• Eliminate restart with binary RSUs
• Eliminate most restarts do to VDB updates
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Restart vs. Reload
• Snort restarts can disrupt traffic.
• Over several releases most Snort restart
scenarios have been eliminated
• To achieve this, Snort restarts are often
replaced by Snort reloads.
• Reloads use a separate reload thread to
rebuild the snort configuration
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Scenarios Addresses in 6.2.2 (Slide 1 of 2)
6.2.2/6.2.3
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Scenarios Addresses in 6.2.2 (Slide 2 of 2)
6.2.2/6.2.3
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Notes on Remaining Snort Restart Triggers
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Snort Restart Scenarios that Remaining in 6.2.3
Policy changes Policy action
Talos VDB Updates Installing/Deploying VDB updates that do not involve App-id detectors
VDB Installation on FMC Installing VDB on FMC causes restarts on all sensors
Eliminate restart during installing SRU Binary Updates, or provide sufficient options to
SRU with Binary Updates
skip installing binary-only updates
File Policy options Enabling/Disabling File policy options that extract files (see notes for details)
VDB updates with new app detectors VDB updates with for App-id detectors (binary changes)
Some MTU changes When maximum MTU across all interfaces changes
Network Discovery advanced options Enabling/Disabling ’Traffic Based Detection’ for Users for protocols: (mdns, ftp & http)
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Snort Restart on SRU with Binary Rules
• SRUs are either plain text or shared objects
• Most are plain text.
• Some are compiled shared objects called binary rules.
• Before 6.3, installing binary rules would cause a Snort restart
• Text based rules only caused a Snort reload
• In 6.3, installing any rules only causes a Snort reload
• Feature applies to both manual and automatic SRUs
• During Snort reload, SRU binary shared objects are dynamically linked
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Snort Restarts Due to VDB Updates
• Before 6.3
• Snort restarted when any VDB update was installed. Device is marked as out-of-date.
• Snort restarted again when the policy change is deployed.
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Snort Restart Warnings Due to VDB Updates
• In 6.3, if Snort will restart during deploy (non-Talos updates), the
administrator is warned twice.
• When VDB update is chosen for
installation
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Snort Restart Scenarios Remaining in 6.3
Policy changes Details
Non-Talos VDB updates Deploy VDB updates with application detector updates
Enabling/Disabling file policy features that change the number of Snort instances:
File Policy options
Spero analysis, dynamic analysis, local malware analysis, store files
Some MTU changes When maximum MTU across all interfaces changes
Network Discovery advanced options Enabling/Disabling ’Traffic Based Detection’ for Users for protocols: (mdns, ftp & http)
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Minimum
Architecture
and Minimum
Bandwidths
FTD Configuration Deployment Process
Firepower Management 1. Configuration bundle built for Lina
Centre (limited syntax validation) and Snort
2. Configuration 3. Configuration
bundle ready bundle download
FTD 1 FTD 2
Configuration Communications Configuration Communications
Manager (CCM) Manager (CCM)
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Management Communication Elements
Data Transfer
Item Typical Package Size Default Timeout
Direction
Device • 1-10MB depending on
Configuration and FMC→FTD features 5 minutes
SRU • Up to 1MB added for SRU
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
FMC Link Bandwidth Requirements
• Image file transfer is the bottleneck in terms of minimum bandwidth
• 700Kbps-2.5Mbps depending on platform and bundle size
• Consider manual image upload with SCP or SFMGR
• Configuration bundle size varies based on features
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
FMC Scalability
• FMC managed device scalability is primarily driven by events volume
• 100K CPS can generate at least 200K connection events per second
• Delayed FMC event processing may cause backpressure on FTD device
Disk Usage:0 - Disk Test 2017-09-01 12:21:53 Drain of unprocessed
events from Connection Events
• Basic network audit data can be sent from Lina to an external SIEM
• Configure NSEL with FlexConfig
• Enable syslog and connection messages under Device policy
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
FTD/FMC Communication
FMC FTD
0- 10MB depends on policy push, SRU
Device configurations updates adds up to 1MB 5 min
FTD FMC
Events 700 bytes per event on average, but highly
NA
variable
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
High Bandwidth FMC to FTD Communications
• The most bandwidth intensive operations are software patch and
upgrades
• FMC status is transmitted every 10 mins
• Upgrades require about 400 Kbps of lossless between managed device
and FMC
• Recommended to perform remote upgrade using out of band
management
• URL database updates require a minimum of 45 Kbps
• Typical size is 20 MB of data
• This would take about an hour at 45 Kbps
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
FTD/FMC Link Bandwidth Requirements
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Flexconfigs
Inter-site Clustering on FTD
• Inter-site clustering supported on FTD
• Site IDs can be configured from
Firepower Chassis Manager
• Will need FlexConfig to configure per
site IP and per site MAC
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Internet Link
Resiliency
Customer Use Case #1
• Customer has a Leased line that should be used as the primary Internet connection.
• In case the primary connection is down, use the secondary connection via a DSL modem
until the primary link is restored.
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Route Tracking
1 2 3
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Customer Use Case #2
FTD
• Customer has multiple internet connections and wants to load balance traffic equally across
all of them
• Possibility of asymmetric traffic too
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
ECMP with Traffic Zones
Traffic zone
configuration can be
used for
1. Traffic Load-
2 balancing (ECMP)
1 2. Route redundancy
3. Asymmetric traffic
handling
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SSL Decryption
(Really it’s TLS!)
Customer Use Case
• Protect the network from threats from remote TLS servers
• Called the outbound or unknown key case
• Example: Malware downloaded over HTTPS by users surfing
the web.
• Protect the network from attacks on internal TLS servers
• Called the inbound or known key case
• Example: Protect DMZ HTTPS servers from intrusion attacks
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Challenges
• Inspection fails for some applications
• No end-user notifications unless traffic is decrypted
• Inspection fails for some client/server combinations
• Load on firewall creates throughput degradation
• Pre 6.3, TLS is being performed in software
• Post 6.3, TLS decryption in hardware on 2100, 4100, 9300
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
New in 6.3
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Best Practices
• Block TLS traffic without decrypting
• Block URL categories
• Block Application (approx. 400 applications can be identified)
• Block based on certificate status, TLS version or cipher suite
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Deployments
Policy and Traffic Separation
• Operationalise policy separation with low inter-tenant communication
• Assign different tenants interfaces to different zone groups
HA Links
Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3
Supervisor Supervisor
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Scalable Multi-Tenant Design outside
Tenant1:inside Tenant2:inside
vPC
Logical Diagram
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Resilient Multi-Tenant Design outside
Tenant1:inside Tenant2:inside
vPC
Logical Diagram
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Resilient+ Multi-Tenant Design outside
Tenant1:inside Tenant2:inside
vPC
Logical Diagram
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
FTDv Multi-Tenant Approach
• Large (100+) multi-tenancy deployments can use FTDv
• Leverage ESX or KVM on UCS or any generic compute hardware
• Shared and dedicated vCPU and memory resource pools
• Up to 1.1Gbps of AVC+IPS 1024-byte throughput per tenant
• Ensure proper resource allocation to each instance
• 4 vCPU cores
• 8GB of memory
• 50GB of disk space
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
New in 6.3
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Q&A
#CLMEL
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Complete Your Online Session Evaluation
#CLMEL BRKSEC-3121 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Thank you
#CLMEL
#CLMEL