deploying intrusion prevention systemsd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brksec-2030.pdf ·...
TRANSCRIPT
• Introduction to IPS
• Cisco NGIPS Solutions
• Deploying Cisco NGIPS
• Migrating to Firepower NGIPS
• Conclusion
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ObjectivesWhat will you learn in this session?
• Next Generation Security and IPS Fundamentals
• Understand the basic premise of Next-Generation Firewalls and IPS
• Cisco NGIPS Solutions
• Understand the various Cisco NGIPS solutions offerings and how they differ
• Deploying Cisco NGIPS
• Understand the process to select the right NGIPS solution
• Understand what the important considerations are when deploying NGIPS
• Migrating to FirePOWER NGIPS
• High level understanding of the process of migrating to FirePOWER NGIPS
BRKSEC-2030 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ObjectivesWhat is not covered (in depth) in this session?
• Not covered in depth in this session, so check out:
• Deploying Firewalls
BRKSEC-2020 - Firewall Deployment
BRKSEC-2028 - Deploying Next Generation Firewall with ASA and Firepower Service
• Troubleshooting FirePOWERBRKSEC-3055 - Troubleshooting Cisco ASA with FirePOWER Services
• Detailed Migration to FirePOWER Services
BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions
• Tuning FirePOWER
BRKSEC-3126 - FirePOWER: Advanced Configuration and Tuning
BRKSEC-2030 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
2015 Cisco Annual Security Report
BRKSEC-2030 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
11101000100010010100010010010010100101001010011111010110101101011100111011010100010101001001010100010101010000101010100010100
Introduction to IPSWhat is IPS?
BRKSEC-2030 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sophisticated
Attackers
Complex
Geopolitics
Boardroom
Engagement
Misaligned
Policies
Dynamic
Threats
Defenders
Complicit
Users
Why do I need IPSChallenges come from every direction
BRKSEC-2030 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FirePOWER Next-Generation IPS
Next-Generation IPS, Firewall and Anti-Malware Solution
• Supported on FirePOWER 7000 and 8000 series appliances
• Supported on ASA5500-X and ASA5585-X, FP4K & FP9K (FTD)
• Supported on ISRG2 and ISR4000 series (UCS-E)
• Supported in VMware, AWS and KVM (6.1)
• Supported on Meraki MX appliances
Cisco NGIPS SolutionsCisco FirePOWER NGIPS
BRKSEC-2030 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with
• Integrated Signature based IPS engine
• Application visibility and granular control (AVC)
• Identity awareness and control
• URL Filtering
• Capability to incorporate external information (feeds)
Cisco NGIPS SolutionsNext-Generation Firewall
BRKSEC-2030 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts.
• Typically deployed behind a Firewall or in IDS mode
• Typically “Bump in the wire”
• Often looks for exploits rather than vulnerabilities
• Often overwhelm with irrelevant events
• Not much contextual information to take action
• Requires high level of tuning
As a result, traditional IPS
• Often needs additional devices to perform other related tasks
• Is often minimally effective or isn’t used
• Requires massive amounts of time and resources to make it work
• May leave organizations exposed
Cisco NGIPS SolutionsTraditional IPS
BRKSEC-2030 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next-Generation IPS extends traditional IPS with
• Application awareness to enable visibility into new L7 threats and reduce the attack surface
• Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning
• Content awareness, determine different file types and whether or not they are malicious
Next-Generation IPS is often deployed as part of a Next-Generation Firewall
Cisco NGIPS SolutionsNext-Generation IPS
BRKSEC-2030 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGIPS SolutionsWhat does a Security Appliance offer
BRKSEC-2030 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Base Hardware and Software
• 5585-X Bundle SKUs with FirePOWER Services Module
• 5500-X SKUs running FirePOWER Services Software
• New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control
• Hardware includes Application Visibility and Control (AVC)
Security Subscription Services• FirePOWER Services Licenses separate from ASA license
• IPS, URL, Advanced Malware Protection (AMP) Subscription Services
• One- and Three-Year Term Options
• Available via ELA
Management
• Firepower Management Center (HW Appliance or Virtual)
• Cisco Security Manager (CSM) or ASDM to Manage ASA Features
• ASDM manages both ASA and FirePOWER Services on new ASA low/mid models
Cisco NGIPS SolutionsASA with FirePOWER Services
BRKSEC-2030 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGIPS SolutionsASA with FirePOWER Services Architecture
Egress after FirePOWER
Processing
FirePOWER IngressASA Ingress
CPU
Complex
Fabric
Switch
Crypto or
Regex
Engine
SFR Module
CPU
Complex
Fabric
Switch
Crypto
Engine
ASA Module
PORTS
PORTS
ASA 5585-X with FirePOWER Services
Backplane
10GE
NICs
10GE
NICs
• ASA processes all ingress/egress packets
• No packets are directly process by FirePOWERexcept for management
• Traffic is forwarded to the FirePOWER module using a policy-map
• FirePOWER provides Next Generation Firewall Services
BRKSEC-2030 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
250 Mbps AVC
125 Mbps AVC+IPS
ASA 5506-X ASA 5506W-X
450 Mbps AVC
250 Mbps AVC+IPS
850 Mbps AVC
450 Mbps AVC+IPS
ASA 5506H-X
ASA 5508-X
ASA 5516-X
250 Mbps AVC
125 Mbps AVC+IPS
250 Mbps AVC
125 Mbps AVC+IPS
Integrated
Wireless AP
Ruggedized
Cisco NGIPS SolutionsASA with FirePOWER Services
BRKSEC-2030 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
900 Mbps AVC
450 Mbps AVC+IPS
ASA 5516-X
ASA 5525-X
1.1 Gbps AVC
650 Mbps AVC+IPS
ASA 5545-X
1.5 Gbps AVC
1 Gbps AVC+IPS
ASA 5555-X
1.75 Gbps AVC
1.25 Gbps AVC+IPS
Cisco NGIPS SolutionsASA with FirePOWER Services – Mid-range
BRKSEC-2030 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
4.5 Gbps AVC
2 Gbps AVC+IPS
ASA 5585-X
SSP 10
10 Gbps AVC
6 Gbps AVC+IPS
15 Gbps AVC
10 Gbps AVC+IPS
ASA 5585-X
SSP 20
ASA 5585-X
SSP 40
ASA 5585-X
SSP 60
7 Gbps AVC
3.5 Gbps AVC+IPS
ASA 5585-X
SSP EP 10/40
4.5 Gbps AVC
4.5 Gbps AVC+IPS
7 Gbps AVC
7 Gbps AVC+IPS
ASA 5585-X
SSP EP 20/60
Cisco NGIPS SolutionsASA with FirePOWER Services – ASA5585
BRKSEC-2030 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Base Hardware and Software
• Single-pass Architecture
• 8000 Series
• Modular Interface Options (Netmods), including 10 and 40 Gbps
• Clustering support for HA
• Stacking Capable for increased throughput up to 60 Gbps
• 71x5 Series with 8 Fail-Closed SFP ports
• 7000 Series with built-in 1 Gbps Copper interfaces
• Virtual FirePOWER NGIPSv for VMware ESX(I)
Security Subscription Services• IPS, URL, Advanced Malware Protection (AMP) Subscription Services
• One and Three-Year Term Options
• Available via ELA
Management
• Firepower Management Center (HW Appliance or Virtual)
Cisco NGIPS SolutionsFirePOWER Appliances
BRKSEC-2030 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• FirePOWER Applications (NGIPS, AppID, AMP)
• Application/Control Plane Processing
• L2-L7 Classification
• Stateful Flow Processing
• PKI and Bulk Cryptography
• Flow-based Load Balancing
• L2 switching / L3 Routing / NAPT
• L2-L4 Packet Classification
• Packet-based load balancing
• Physical Interfaces
• Integrated Bypass Relays
Cisco NGIPS SolutionsFirePOWER Appliances Architecture
NetMods
NFE
NMSB
CPU
BRKSEC-2030 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
7100-series
7000-series
8100-series
8300-series
50 to 250 Mbps 500 Mbps to 2
Gbps 2 to 12 Gbps 10 to 60 Gbps
Cisco NGIPS SolutionsFirePOWER Appliances
NGIPSv
~ 250 Mbps to ~ 2 Gbps
BRKSEC-2030 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services
ASA 5500-X, 5585-X
Up to 10Gbps NGIPS on a single 5585-X SSP60
Physical ASA Inline Deployment, HA, Clustering
Inline and Promiscuous NGIPS and NGFW
From ASA to FirePOWER Module
CSM/ASDM for ASA, FMC/ASDM for FirePOWERServices
FirePOWER Appliances
8000, 7000 Physical and Virtual Appliances
Up to 60Gbps on 8390
Physical or SPAN Deployment, HA
Inline and Promiscuous NGIPS and NGFW
Directly through FirePOWER Appliance
Firepower Management Center
Solution
Form Factor
Performance
Deployment
Use Case
Packet Flow
Management
Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances
BRKSEC-2030 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services
All ASA + Most FirePOWER features
Ability to apply FirePOWER policy per context and generate reports on a per-context basis
Currently only with external appliance
Multiple remote-access and site-to-site options (IPSec, SSL)
Active/Standby, Active/Active, Clustering
Static, EIGRP, OSPF, BGP, RIP, Multicast
SFUA AD Agent, CDA and TrustSec on ASA
Module Fail-Open
FirePOWER Appliances
FirePOWER features
Ability to define Security Zones and apply policy and generate reports per zone
Integrated as well as external appliance
Limited site-to-site IPSec support
Active/Standby (Clustering)
Static, OSPF, RIP
SFUA, AD Agent, Passive Discovery
Automatic Application Bypass, HW Bypass
Solution
Features
Multi-Context
SSL Decryption
VPN
HA
Routing
Identity
Bypass
Cisco NGIPS SolutionsComparing ASA with FirePOWER Services with FirePOWER Appliances
BRKSEC-2030 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGFW Platforms
*5585-X management available 2H CY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower™ 4100
Series and 9300
Cisco FirePOWER™ Services
on ASA 5585-X
Cisco Firepower Threat
Defense on ASA 5500-X
New
Appliances
BRKSEC-2030 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Converged Software – Firepower Threat Defense
New Converged Software Image:Firepower Threat Defense
• Contains all Firepower Services plusselect ASA capabilities
• Single Manager:Firepower Management Center*
Same subscriptions as FirePOWER Services:• Threat (IPS + SI + DNS)
• Malware (AMP + ThreatGrid)
• URL Filtering
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
BRKSEC-2030 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense
Feature Firepower Services
for ASA
Firepower Threat
Defense
Notes for Firepower Threat Defense
HA, NAT ✔ ✔
Routing ✔ ✔ Multicast & EIGRP in 6.1
Unified ASA and Firepower rules/objects ✘ ✔
Local Management ✔ ✔ In 6.1, features differ
Multi-Context ✔ ✘
Inter-chassis Clustering ✔ ✘
VPN ✔ ✔ Site-to-Site VPN in 6.1
Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1
Smart Licensing support ✘ ✔
Note: Not an exhaustive list of differences between these offerings.
BRKSEC-2030 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Platforms run Firepower Threat Defense?
*5585-X ASA module management being investigated for 2HCY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower Threat
Defense on Firepower™ 4100
Series and 9300
Cisco FirePOWER Services
on ASA 5585-X
Cisco FirePOWER on
7000/8000 Series Appliances
Cisco Firepower Threat
Defense on ASA 5500-X
New
Appliances
BRKSEC-2030 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 4100 SeriesIntroducing four new high-performance models
Performance and
Density OptimizationUnified Management
Multiservice
Security
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
• ASA and other future
third party
• 10-Gbps and 40-Gbps
interfaces
• Up to 80-Gbps throughput
• 1-rack-unit (RU) form factor
• Low latency
• Single management interface
with Firepower Threat Defense
• Unified policy with inheritance
• Choice of management
deployment options
BRKSEC-2030 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense
containers:• NGIPS, AMP, URL, AVC
• Third-party containers:• Radware DDoS• Other ecosystem partners
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Benefits• Industry-leading performance:
• 600% higher performance• 30% higher port density
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice
Security
High-speed, scalable security
BRKSEC-2030 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Modules
Three security module configurations
SM36: 72 x86 CPU cores for up to 80 Gbps of
firewalled throughput
SM24: 48 x86 CPU cores for up to 60 Gbps of
firewalled throughput
(Future) NEBS: SM24 NEBS certification
Dual 800GB SSD in RAID1 by default
Built-in hardware packet and flow classifier and
crypto accelerator
Hardware VPN acceleration is targeted for a
subsequent software release
BRKSEC-2030 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 9300 Overview
Supervisor
Application deployment and orchestration
Network attachment (10/40/100GE) and traffic distribution
Clustering base layer for Cisco® ASA, NGFW, and NGIPS
1
3
2
Security
Modules
Embedded packet and flow classifier and crypto hardware
Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications
Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis
BRKSEC-2030 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Threat Defense Packet Flow
Ingress NIC
L2/L3 Decode
L4 Decode
Flow Lookup Route Lookup
NAT Lookup
Inspection
checks
Routing
NAT
Egress NIC
Flow Update
File/AMP
IPS
AVC
FirePOWER Services
Event Database
Packet
Lib
rary
(P
DT
S)
Zero Copy Single OS
BRKSEC-2030 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower™ Management Center
Cisco Firepower Management CenterSingle Console for Event, Policy and Configuration Management
• Network-to-endpoint visibility
• Manages firewall, applications, threats, and files
• Track, contain, and recover remediation tools
Unified
• Central, role-based management
• Multitenancy
• Policy inheritance
Scalable
• Impact assessment
• Rule recommendations
• Remediation APIs
Automated
BRKSEC-2030 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Deployment Cycle
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
BRKSEC-2030 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PolicyNetwork Security Policy
• Outlines rules for computer network access
• Determines how policies are enforced
• Basic Architecture of the network security environment
• Keep malicious users, applications and traffic out
• Keep internal data in
• Attack Mitigation and Incident Response
• Align to business needs
BRKSEC-2030 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Deployment Cycle
Policy
Planning &
Hardware Selection
Implementation&
Operation
Evaluation
BRKSEC-2030 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Details how Security Policy will be met
• Write up of all requirements to prepare for implementation
• Determine places in the network to deploy
• Define the capabilities needed within each place in the network
• Determine if there are any complementary solutions in place (integration)
• Good planning will lead to a successful implementation
• Reduces complexity
• Predictability and risk awareness
• Select Devices based on requirements
Planning and Hardware SelectionDefine your requirements
BRKSEC-2030 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Planning and Hardware SelectionDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
Implementation
Features and
Licenses
Hardware
BRKSEC-2030 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
Planning and Hardware SelectionDefine your requirements
BRKSEC-2030 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use CaseWhat problem are we solving?
Traditional FW
•5-tuple Access Control
•Stateful Protocol Inspection
•NAT
•Routing
NGFW
•Application Visibility and Control
•User-Based Controls
•Filtering Web Access
•Encrypted Traffic
NGIPS
• Intrusion Detection
• Intrusion Prevention
•Encrypted Traffic
•Compliance
•Network Forensics
VPN
•Remote Access
•Site-to-Site
•NAT, Routing, …
Malware
•Trojan Horses, Rootkits,..
•Scope spreading
•0-days
BRKSEC-2030 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use CaseInspecting Encrypted Traffic
• > 30% of Internet traffic is SSL encrypted, hiding it from inspection
• Google, Facebook, Office 365
• Continues to increase with most organization seeing 50-75%
• Google to prioritize sites using SSL
• Increasing % of malware is hiding in SSL tunnels
• Malware downloads
• CnC connections
• Data exfiltration
• Policy enforcement and threat protection
BRKSEC-2030 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Choose external SSL
for high-bandwidth and
ability to inspect with
other solutions, e.g. DLP
Server
Client
Encrypted
Encrypted
FirePOWER
Decrypted
SSL ApplianceUse new built-in SSL inspection for
simplicity and cost-effectiveness
Use CaseInspecting Encrypted Traffic
BRKSEC-2030 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use CaseInspecting Encrypted Traffic with on-box decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
• Flexible SSL support for HTTPS & StartTLSbased apps
• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
• Decrypt by URL category and other attributes
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices
BRKSEC-2030 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use CaseInspecting Encrypted Traffic with external appliance
• Cisco SSL Appliance 1500, 2000, 8200 (4, 10 and 20 Gbps)
• Encrypted traffic flow
• Decrypted by SSL Appliance
• Re-encrypted by SSL appliance
• Plain text traffic flow
• Forwarded by SSL Appliance
• Sent to sensor
• Processed and returned to SSL Appliance
• Packets returning from thesensor are not re-encrypted
• Modifications made to packetsby the sensor are not presentin the encrypted traffic flow
• Non-SSL traffic is cut through
Clear text traffic
SSL Traffic with Rewritten certificate
SSL Traffic with Original certificate
Inside Network
Outside Network
BRKSEC-2030 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Identify and log Intrusion attempts
• Need to prioritize events based on
• Criticality of the asset
• Relevancy of the attack
• Potential for damage
• What signatures to enable?
• How to avoid noise, false positives and non-relevant events?
• How to maximize the effectiveness of the analyst?
• How to deal with encrypted traffic?
• Contextual Visibility is key!
Use CaseIntrusion Detection and Reporting (passive)
SPAN Destination Port
Passive Interface
Ethernet Switch
BRKSEC-2030 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Identify, log and/or prevent intrusion attempts
• All of what matters for IDS also applies to IDS
• The right tuning is even more important because
• False Positives may drop good traffic
• Inline deployment may have an impact on performance
• Often IPS is deployed as IDS, then tuned before inline deployment
• Contextual Visibility is key!
Use CaseIntrusion Prevention
BRKSEC-2030 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use CaseLicensing
Functionality Traditional Licensing Smart Licensing
Base License (includes
AVC)
Protect + Control Base
IPS (SI, DNS) (EULA Enforced) Threat
AMP/Threat GRID Malware Malware
URL Filtering URL Filtering URL Filtering
Management FireSIGHT Built into Firepower Management
Center
BRKSEC-2030 56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Planning and Hardware SelectionDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
BRKSEC-2030 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Internet Edge
• Data Center
• Branch
• Core
• Extranets
• Critical Network Segments
LocationWhat Network Segment do we want to protect?
BRKSEC-2030 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Enterprise’s GW to Cyberspace
• Serves diverse building blocks
• Allow outbound employee traffic and inbound traffic to servers
• Filter outbound employee traffic
• Need for diversified policy protecting both DMZ and users
• Expected threats include (D)DoS), Intrusion attempts, application-layer attacks
• URL and Application filtering, IPS/IDS, SSL Decryption, Anti-malware
LocationInternet Edge
BRKSEC-2030 59
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Houses the most critical applications and data
• Key to security is maintaining service availability
• Security may affect traffic flows, scalability and failures
• “Perceived” Universal DC requirements include High Availability, Ability to deal with asymmetric traffic, Scalability.
• Expected threat vectors include data loss, unauthorized access
• Some use-cases for IPS in the DC are Inter-zone inspection and VM-to-VM inspection
LocationData Center
BRKSEC-2030 60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
BRKSEC-2030 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityWhat Interfaces are needed
• How Many Interfaces?
• Fiber or Copper?
• Bypass or non-bypass?
• Interface Speed?
• Need for bundling Interfaces?
• Need for Wireless?
BRKSEC-2030 62
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityInterface Options on ASA with FirePOWER Services
5506 5506-H 5506-W 5508/5516 5525/45/55
Fixed 1GE Interfaces 8 4 8 8 8
Modular Interfaces NO NO NO NO6 GE Copper
or SFP
Integrated Wireless AP NO NO YES NO NO
Hardware Fast Path NO NO NO NO NO
Monitor-Only Mode YES YES YES YES YES
BRKSEC-2030 63
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityInterface Options on ASA with FirePOWER Services
5585 SSP10F10
5585 SSP20F20
5585 SSP10F20
5585 SSP20F40
5585 SSP40F40
5585 SSP60F60
Fixed 1GE Interfaces 16 14 16
SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE)
Hardware Fast Path NO NO NO
Monitor-Only Mode YES YES YES
BRKSEC-2030 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityInterface Options on FirePOWER Appliances
NGIPSv 7000 7100 8100 8300
Modular Interfaces N.A NO8 GE Copper
or SFP *
Up to 3
modules
(1,10 GE)
Up to 7
modules
(1,10,40 GE)
Monitoring Interfaces (Max) N.A 8 8-12 12 28
Hardware Bypass NO YES YES YES YES
Hardware Fast Path NO NO NO YES YES
* 7115, 7125, and 7150 models only
BRKSEC-2030 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityNetwork Modules for FirePOWER 8000 Series
Integrated Bypass NetMods Non-Bypass Netmods
1-Gbps 4-port copper 1-Gbps 4-port copper
1-Gbps 4-port fiber 1-Gbps 4-port fiber
10-Gbps 2-port fiber SR (short-reach) 10-Gbps 4-port fiber SR (short-reach)
10-Gbps 2-port fiber LR (long-reach) 10-Gbps 4-port fiber (long-reach)
40-Gbps 2-port fiber SR (8200/8300 only)
BRKSEC-2030 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityInterface Options on ASA with FirePOWER Services
FP4100 FP9300
Fixed 10GE Interfaces 8 8
SFP+ Sockets
2 (8/10 GE SFP+)
2 (4/40 GE QSFP+)
2 (8/10 GE SFP+)
2 (4/40 GE QSFP+)
1 (2/100 GE SFP28)
Integrated Bypass Future version Future version
Flow Offload Future version Future version
Monitor-Only Mode YES YES
BRKSEC-2030 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityLink Aggregation for Link Redundancy and Scaling
NGIPS
ApplianceSwitch
s1p1
s1p2
s1p3
s1p4
lag0
• Combine multiple links into one aggregated link (port-channel)
• Availability and Throughput
• Manual (always on) EtherChannel or LACP
• Supported on ASA, Firepower and FirePOWER appliances
• ASA: and Firepower – multiple firewalls can be member of 1 port-channel (used in Clustering)
• FirePOWER Appliances: only supported to aggregate interfaces on the same device
BRKSEC-2030 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Appliance Promiscuous
• Passive interface
• Inline Interfaces
• Virtual Switched Mode
• Virtual Routed Mode
ASA With FirePOWER Services
• Inline
• Promiscuous
• Span Port Mode
FTD
• Inline
• Inline Tap
• Passive
ConnectivityHow should the IDS/IPS be connected?
BRKSEC-2030 70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional IPS Deployment
• Bump in the wire, entirely transparent to the network
• Bypass functionality
• Easy to insert into an existing network
• I.e. FirePOWER Inline Interfaces
Traditional Transparent Firewall Deployment
• No Bypass functionality
• Can actively participate in the network (i.e. keeps CAM table, can broadcast ARP request)
• State-sharing is a requirement for network continuity in HA pairs
• i.e. Virtual Switched Mode
ConnectivityFirePOWER Appliance Deployment Models
Traditional IDS Deployment
• SPAN, TAP to send a copy of traffic to IDS
• Does not impact network traffic
• Easy to insert into an existing network
• I.e. Passive Mode
Traditional Routed Firewall Deployment
• FW is a hop in the network between L3 boundaries
• Has to be aware of routing protocols
• State-sharing is a requirement for network continuity in HA pairs
• I.e. Virtual Routed Mode
BRKSEC-2030 71
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SPAN Destination Port
Passive Interface
Ethernet Switch
• FirePOWER Appliances and NGIPSv
• Only copies of the packets are sent to the sensor
• One or more physical ports designated as passive
• Visibility and Detection
• Optional prevention through remediation modules
• Separate device must send copies of the packets
• Span (or monitor) from a switch
• Network Taps
ConnectivityFirePOWER Appliance Promiscuous – Passive Interface
monitor session 1 type localsource int fa4/1destination int fa2/2
BRKSEC-2030 72
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Two physical interfaces paired together
• Paired interfaces must be assigned to an inline set
• Multiple Pairs can be configured on same sensor as sets
• IPS between two access-ports on the same switch or between two different switches
• Traffic passes through the sensor
• Pass Good Traffic, and Block Bad
• Redundancy can be provided with STP or additional sensor.
• Fail-open can be provided with hardware-bypass interfaces
Transparent Interfaces
Sensor is Layer 2 Bridge
Sensor sits between two physical ports on a
switch or two different switches
ConnectivityFirePOWER Appliance Inline - Inline Interfaces
BRKSEC-2030 73
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Create an Inline Set
• Select Bypass mode
• Assign one or more interface pairs to the Inline Set
• Advanced Options:
• Tap Mode
• Propagate Link State
• Transparent Inline Mode
• Strict TCP Enforcement
ConnectivityFirePOWER Appliance Inline – Configuring Inline Interfaces
BRKSEC-2030 74
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLAN10
VLAN20
HostA
HostB
ConnectivityFirePOWER Appliance Inline – Virtual Switched Mode
• Virtual Switch is defined within the sensor
• Traditional L2 Firewall deployment model
• Two or more Physical Interfaces or VLANS are assigned to the Virtual Switch
• Traffic passes through the IPS and gets Inspected
• Incoming VLAN tag is stripped and packets leaving a re-encapsulated with egress VLAN tag when leaving
• Security Redundancy (HA) can be provided with STP deployments
• Network Availability (Fail-Open) can be provided with a redundant wire
BRKSEC-2030 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityFirePOWER Appliance Inline – Configuring Inline Switched Mode
• Create logical switched interfaces for each VLAN *
• Create a Virtual Switch
• Add logical or physical interfaces to the Virtual Switch
• Advanced Options:
• Static MAC Entries
• Enable STP
• Strict TCP Enforcement
• Drop BPDUs
BRKSEC-2030 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Two or more physical or logical (VLAN) interfaces defined as routable interfaces
• Traditional L3 firewall deployment
• Route Good Traffic, and Drop Bad
• Static Routing, RIP, OSPF and BGP are supported
• Redundancy can be provided through SFRP to a standby sensor
• Fail-open is NOT supported in routed mode
Routed Interfaces
ConnectivityFirePOWER Appliance Inline – Virtual Routed Mode
BRKSEC-2030 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ConnectivityFirePOWER Appliance Inline – Configuring Virtual Routed Mode
• Create logical routed interfaces for each VLAN *
• Assign IP addresses to logical or physical routed interfaces
• Create a Virtual Router
• Add logical or physical interfaces to the Virtual Router
• Configure Routing type
• Advanced Options:
• IPv6 Support
• DHCP Relay
• Static Routing Entries
• Routing Filter
• Authentication Profile
BRKSEC-2030 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA itself could be deployed in many ways:
• L2 (Transparent) / L3 (Routed mode)
• Single-Context / Multi-Context
• Active/Standby, Active/Active, Clustering
Modular Policy Framework (MPF) is used to forward traffic from ASA to FirePOWER Services:
• Inline
• Promiscuous
• Monitor-only
ConnectivityASA with FirePOWER Services Deployment Models
policy-map global_policyclass class-defaultsfr fail-open
service-policy global_policy global
BRKSEC-2030 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASA is deployed Inline
• ASA Forwards selected traffic through the module
• As Defined in ASA Policy-map
• Packets and flows are not dropped by FirePOWER services directly
• Packets are marked with Drop or Drop with Resetand sent back to the ASA
• This allows for the ASA to clear the connection from the state tables and send resets if needed.
ConnectivityASA with FirePOWER Services – Inline
policy-map global_policyclass class-defaultsfr fail-open
service-policy global_policy global
L3 or L2 mode ASA
BRKSEC-2030 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASA is still deployed Inline
• ASA forwards a copy of the selected traffic through the module
• As Defined in ASA Policy-map
• Monitor-only option in Policy-map
• Visibility and Detection
• Optional prevention through remediation modules
ConnectivityASA with FirePOWER Services – Promiscuous
policy-map global_policyclass class-defaultsfr fail-open monitor-only
service-policy global_policy global
L3 or L2 mode ASA
+
BRKSEC-2030 81
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ASA Interface connected to a SPAN port
• ASA not in Data Path
• Monitor-only configured on interface
• This interface cannot be used for regular ASA functionality
• Other ASA interface can still be inline but cannot forward traffic to the FirePOWER module
• Only supported in transparent, single-context mode
• Visibility and Detection
ConnectivityASA with FirePOWER Services – Span port Mode
firewall transparentint g0/0traffic-forward sfr monitor-only
Transparent Mode ASA
+
BRKSEC-2030 82
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Routed/TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2Inline Set
E J
Policy TablesPassive
Interfaces
Inline Tap
ConnectivityFirepower Threat Defense Interface Modes
BRKSEC-2030 83
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
BRKSEC-2030 84
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sizing: Which device do I need to buy?
Upgrade of existing or new device?
Features: What features am I going to need or want to run?
Firewall, IPS, Application Control, URL, Malware?
Location: Where is the device in the network?
In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages?
Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet?
As with all performance discussions, YOUR MILEAGE MAY VARY!!
PerformanceHow to measure and why it matters?
BRKSEC-2030 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• What does your traffic mix look like?
• What is your peak throughput?
• What features will you need?
• What is your peak conn/s and max conn?
• What is acceptable latency?
• Is there traffic excluded from inspection?
• Use Netflow, NBAR, AVC, ASA Stats
• Expected future growth
PerformanceDetermining your IPS Performance needs
BRKSEC-2030 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Datasheets generally have some indication of performance. In most cases this includes the infamous “throughput” measurement. Different product spaces have different typical “throughput” tests.
The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common.
The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common.
PerformanceThroughput testing methodology
BRKSEC-2030 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services
Maximum Stateful Firewall Throughput
Maximum VPN Throughput
Maximum AVC Throughput
Maximum AVC And NGIPS Throughput
AVC or IPS Sizing Throughput (440B)
Maximum Concurrent Sessions
Maximum New Connections / Second
FirePOWER Appliances
FW Throughput
IPS Throughput (440B)
Maximum Concurrent Sessions
Maximum New Connections / Second
PerformanceWhat Metrics do we provide?
Solution
Throughput
Connections
BRKSEC-2030 88
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
If you run AVC or AVC+AMP on top of IPS, reduce the Datasheet IPS throughput by:
30-45% for IPS + AVC
50-65% for IPS + AVC + AMP
PerformanceMultiple-Services Performance Guideline
IPS + AVC +AMP
IPS + AVC
IPS
BRKSEC-2030 89
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Model 5506-X 5508-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Max Stateful
FW
Throughput
750
Mbps
1
Gbps
1.8
Gbps
2
Gbps
3
Gbps
4
Gbps
4
Gbps
10
Gbps
20
Gbps
40
Gbps
VPN
Throughput
100
Mbps
175
Mbps
250
Mbps
300
Mbps
400
Mbps700 Mbps
1
Gbps
2
Gbps
3
Gbps4 Gbps
Max AVC
Throughput
250
Mbps
450
Mbps
850
Mbps
1,1
Gbps
1,5
Gbps
1,75
Gbps
4,5
Gbps
7
Gbps
10
Gbps15 Gbps
Max AVC
and IPS
Throughput
125
Mbps
250
Mbps
450
Mbps
650
Mbps
1
Gbps
1,25
Gbps
2
Gbps
3,5
Gbps
6
Gbps
10
Gbps
AVC or IPS
Sizing
Throughput
90
Mbps
180
Mbps
300
Mbps
375
Mbps
575
Mbps
725
Mbps
1,2
Gbps
2
Gbps
3,5
Gbps
6
Gbps
Max
Connections50,000 100,000 250,000 500,000 750,000 1,000,000 500,000 1,000,000 1,800,000 4,000,000
Max CPS 5,000 10,000 20,000 20,000 30,000 50,000 40,000 75,000 120,000 160,000
PerformanceFirePOWER Services for ASA
BRKSEC-2030 90
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Model 7030 7115 7125 8120 8140 8350 8360 8370 8390
Firewall
Throughput
500
Mbps
1,5
Gbps
2,5
Gbps
4
Gbps
10
Gbps
30
Gbps
60
Gbps
90
Gbps
120
Gbps
IPS
Throughput
250
Mbps
750
Mbps
1,25
Gbps
2
Gbps
6
Gbps
15
Gbps
30
Gbps
45
Gbps
60
Gbps
Max
Connections500,000 1,500,000 2,500,000 3,000,000 7,000,000 12,000,000 24,000,000 36,000,000 48,000,0000
Max CPS5,000 27,500 42,500 45,000 100,000 180,000 360,000 540,000 720,000
PerformanceFirePOWER Appliances
BRKSEC-2030 91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PerformanceFirepower Appliances
Model 4110 4120 4140 SM-24 SM-36 SM-36x3
Max Throughput: Application Control (AVC)
12G 20G 25G 25G 35G 100G
Max Throughput: Application Control (AVC) and IPS
10G 15G 20G 20G 30G 90G
Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G
Sizing Throughput: AVC+IPS (450B)
3G 5G 6G 6G 8G 20G
Maximum concurrent sessions w/AVC
4.5M 11M 14M 28M 29M 57M
BRKSEC-2030 92
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FMCv/FTDv in AWS
AWS FMCv is optional as many organizations like to use their on premises FMC.
• Cisco Smart Licensing, AWS hourly coming soon
• AWS Security Group Access control must permit SSH/HTTPs access to your instances
• Create and attach Network interfaces and add Route table entry for Internet access
• An Elastic IP (Static persistent Public IP) is required for either FTDv or FMCv remote admin access
• * 2 management interfaces required for AWS FTDv
Instance Type Interf. Subnets vCPUs RAM (GB)
FMCv m3.large 3 2 7.5
FMCv m3.xlarge 3 4 15
FMCv & FTDv* c3.xlarge 2 4 7.5
FMCv c3.2xlarge 8 4 15
BRKSEC-2030 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
BRKSEC-2030 94
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER
Services
FirePOWER Appliance -
Promiscuous
FirePOWER Appliance –
Inline
Network
Availability
• ASA w/ Firepower Fail-
Open
• N.A. • Automatic Application Bypass
• Hardware Bypass
• Alternate Path
Security
Availability
• ASA A/S Failover • FirePOWER Clustering –
Passive Redundancy
• FirePOWER Clustering – Inline
• FirePOWER Clustering - Switched
• FirePOWER Clustering - Routed
Availability and ScalingWhat should happen if the IPS fails?
BRKSEC-2030 95
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Fail-Open and Fail-Closed configured in ASA Policy-map
• Determines what ASA does when the FirePOWER module has failed
• With Fail-Closed, traffic will be blocked when the module is unavailable
• With Fail-Open, traffic will be allowed and not inspected when the module is unavailable
• Only used if the ASA cannot failover
Network AvailabilityFail-Open for ASA with FirePOWER Services
Data
Flow
ASA
Firepower Module (HW or SW)
Data
FlowASA
Firepower Module (HW or SW)
Health Check Failure
policy-map global_policyclass class-defaultsfr fail-open
service-policy global_policy global
BRKSEC-2030 96
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• AAB Limits the time allowed to process packets through an interface.
• Increased processing time may be due to misconfiguration or a SW issue
• Not the same as Packet / Rule Latency Thresholding
• Inspection is bypassed if the processing time is exceeded causing all Snort processes to terminate
• AAB will restart the Snort IPS engine within 10 minutes after failure
• Bypass threshold: 250ms – 6s (3s default)
• Generates Health Monitoring Alert
• Supported on FirePOWER Hardware appliances and NGIPS
• Not supported on ASA with FirePOWER services
Network AvailabilityAutomatic Application Bypass (AAB) for FirePOWER IPS
Data
Flow
Firepower Appliance
Data
Flow
Processing Time Exceeded
BRKSEC-2030 97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Fail-to-wire
• Traffic bypasses appliance on power-failure
• Supported on Physical FirePOWER appliances only
• Supported on both Copper and Fiber Interfaces
• Hardware Bypass Network Modules available for 8000 series
• Inline Interfaces Mode Only
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Link
Network AvailabilityHardware Bypass for FirePOWER IPS
Link
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Power Loss
No Link
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Link
Normal
Hardware Bypass Activated
BRKSEC-2030 98
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Sensor and alternate path between 2 switches or 2 VLANS on the same switch
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place alternate path in forwarding state
Network AvailabilityAlternate Path for FirePOWER IPS
Blocked by Spanning Tree
Data Flow
Data Flow
BRKSEC-2030 99
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• For locations where high availability is the primary concern
• ASA’s sync connection table
• ASA configuration automatically synched.
• FirePOWER Configuration should be synched using Firepower Management Center
• FirePOWER Modules do not synchronize their connection tables
• Mid-session pickup on FirePOWER modules
• Supported in both Routed and Transparent mode
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data Flow
Security AvailabilityA/S Failover for ASA with FirePOWER Services
ACTIVE
STANDBY
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data FlowACTIVE
FAILED
BRKSEC-2030 100
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Not the same as ASA Clustering
• FirePOWER Clustering (HA) establishes resiliency between 2 appliances or 2 stacks
• Clustered devices can synchronize state via HA link
• Single logical system In Firepower Management Center for policy application
• Both devices must me the same model, identical interfaces, same software and licenses
• Automatic failover happens with appliance health failure, hardware failure, during a system update or device shutdown
• Multiple Clustered Redundancy Deployment Models: Passive, Inline, Routed, Switched
Security AvailabilityClustering (HA) for FirePOWER Appliances
BRKSEC-2030 101
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• TAP or SPAN feed to multiple appliances in passive mode
• Standby Appliance brings interfaces up if Active Appliance fails health checks
• Same as having multiple standalone IDS appliances, except duplicate events are suppressed.
Security AvailabilityClustering for FirePOWER Appliances – Passive Deployment Redundancy
Da
ta F
low
SPAN’ed
Traffic
Active
Standby
Data
Flo
w
SPAN’ed
Traffic
Failed
ActiveBRKSEC-2030 102
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Sensors between 2 switches
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place other sensor in forwarding state
• Clustering does State Push for session state to ensure flow continuity on failover
Security AvailabilityClustering for FirePOWER Appliances – Inline Deployment Redundancy
Blocked by Spanning Tree
Data Flow
Data Flow
BRKSEC-2030 103
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Sensors between switches or VLANs on the same switch
• Virtual Switch Configuration
• STP determines Forwarding/Blocking path
• Sensor failure cause STP to place other sensor in forwarding state
• Clustering does State Push for session state to ensure flow continuity on failover
Security AvailabilityClustering for FirePOWER Appliances – Switched Deployment Redundancy
VLAN
20
VLAN
200
Active STP Path
VLAN
20
VLAN
200
Path Blocked by STP
BRKSEC-2030 104
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Virtual Router Configuration
• Hosts typically have a statically defined GW
• Redundancy in a routed deployment requires routed interfaces to share a GW IP Address
• SFRP (similar to VRRP) creates an Active/Passive deployment by advertising the active IP only on 1 interface
• If that interface goes down, the backup interface begins advertising the IP address
• Clustering does State Push for session state to ensure flow continuity on failover
Security AvailabilityClustering for FirePOWER Appliances – Routed Deployment Redundancy
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data Flow
ACTIVE
STANDBY
Eth
ern
et
Sw
itc
h
Eth
ern
et S
witc
h
Data FlowACTIVE
FAILED
BRKSEC-2030105
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with
FirePOWER
Services
FirePOWER
Appliance -
Passive
FirePOWER
Appliance –
Inline
Firepower with
NGFW (FTD)
Scaling
• NA • Stacking • Stacking • NA
Scaling +
Availability
• ASA Clustering * • Passive
Clustered Stack
• FirePOWER
Passive
Appliances with
Etherchannel
RSPAN *
• Clustered Stack
• ASA with FirePOWER
Appliances *
• Clustering
Availability and ScalingHow to scale beyond what 1 Appliance can do?
* Can be deployed in asymmetric traffic environments
BRKSEC-2030 106
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
4x Stacking supported 8300, 8200 2x Stacking on 8100 Series
8350 8360 8370 8390
15 Gbps 30 Gbps 45 Gbps 60 Gbps
ScalingStacking for FirePOWER 8000 Series
BRKSEC-2030 107
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Scaling and Availability for FirePOWER Services
• Can be deployed in an asymmetric environment
• Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services
• Stateless load balancing by external switch
• Support for VPC and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for concerted operation and high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER modules
Scaling + AvailabilityClustering for ASA5500-X
vPC
vPC
ASA Cluster
BRKSEC-2030 108
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Stack-to-Stack High Availability
• Supported on 8000 Series
• Scaling and Availability for FirePOWER Services
• Supported for passive, inline, switched and routed clustered deployment
• Not suggested for asymmetric environment
• Stacks must have identical hardware
Scaling + AvailabilityClustered Stack of FirePOWER Appliances
Data
Flo
w
SPAN’ed
Traffic
Active
Standby
Blocked by Spanning Tree
Data Flow
BRKSEC-2030 109
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Provides IDS Scaling and Availability
• No FirePOWER Clustering
• Can be deployed in an asymmetric environment
• Asymmetric traffic flow through the DC switching infrastructure
• Switches mirror traffic at key intersection points into an RSPAN VLAN
• RSPAN collection switch aggregates flows and feeds them into an Etherchannel.
• FiePOWER appliances process aggregated SPAN traffic in passive mode
Scaling + AvailabilityEtherchannel RSPAN with FirePOWER Passive Appliances
vPC
vPC
BRKSEC-2030 110
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Provides IPS Scaling and Availability
• Can be deployed in an asymmetric environment
• ASA appliances deployed as a cluster in multi-context mode
• In-Line FirePOWER Appliances attached in between the contexts
• ASA Clustering Automatically redirects asymmetrically received packets to ASA connection owner
• Local FirePOWER Appliances have full visibility into the flow due to localized processing
• Cisco Validated Design
Scaling + AvailabilityASA with Inline FirePOWER Appliances
vPC
vPC
ASA Cluster
BRKSEC-2030 111
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Availability and ScalingAvailability and Scaling Options on ASA with FirePOWER Services
5506 5506-H 5506-W 5508/5516 5525/45/55 5585-X
Multi-Context NO NO NO YES YES YES
High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A
Clustering NO NO NO NO YES (2) YES (16)
Module Fail-Open YES YES YES YES YES YES
Automatic
Application BypassNO NO NO NO NO NO
BRKSEC-2030 112
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Availability and ScalingAvailability and Scaling Options on FirePOWER Appliances
NGIPSv 7000 7100 8100 8200/8300
FirePOWER Stacking NO NO NO YES (2) YES (4)
FirePOWER Clustering NO YES YES YES YES
Clustered Stacks NO NO NO YES YES
Automatic Application
BypassYES YES YES YES YES
Hardware Bypass NO YES YES YES YES
* 7115, 7125, and 7150 models only
BRKSEC-2030 113
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Availability and ScalingAvailability and Scaling Options on Firepower NGFW (FTD)
FP4100 FP9300
Multi-Context NO NO
High Availability A/S, A/A A/S, A/A
Clustering YES (5) * YES (5) *
Module Fail-Open NO ** NO **
Automatic
Application BypassNO NO
* Clustering will be available in a future release
** Interfaces with built-in bypass available in a future release
BRKSEC-2030 114
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PlanningDefine your requirements
Use Case
Location
Connectivity
Performance
Availability and Scaling
Management
BRKSEC-2030 115
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Management Platforms: Firepower Management Center, ASDM *
• Firepower Management Center can be an appliance or a VM
• Firepower Manager Center Appliances can be deployed in HA
• Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities
ManagementFirepower Management Center
FMC ASDM
Model Server, web-
based UI
On-box
Form Factor VM or Appliance Runs on ASA
# devices Up to 300 1
Cost $ No Charge
Manages FirePOWER,
FirePOWER
services
ASA, FirePOWER
services on select
platforms
Contextual Awareness
and Visibility
Detailed Basic, no IoC or
Impact Assessment
Event Collection Extensive Basic
Reporting Extensive Basic
Health Monitoring Basic: CPU,
Memory
Extensive* ASDM currently only manages FirePOWER Services on5506/8/16
BRKSEC-2030 116
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
750 2000 4000 Virtual
Maximum
devices
managed*
10 70 300Virtual FireSIGHT®
Management Center
Up to 25 managed devices
ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB
Maximum
network map
(hosts/users)
2000/2000150,000/
150,000
600,000/
600,000
Virtual FireSIGHT®
Management for 2 or 10 ASA
devices only!
Not upgradeable
FS-VMW-2-SW-K9
FS-VMW-10-SW-K9
Events per
second (EPS)2000 12,000 20,000
Max number of devices is dependent upon sensor type and event rate
ManagementFirepower Management Center Appliances
BRKSEC-2030 117
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Deployment Process
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
BRKSEC-2030 118
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ImplementationInstallation, Basic Configuration and Insertion into the network
1. Installation of Firepower Management Center
2. Installing FirePOWER appliance or FirePOWER Services for ASA
3. Adding FirePOWER appliance/module into Firepower Management Center
4. Apply Basic Configuration
5. Insertion into the network
6. Tuning
7. Optional: Move from Audit mode to inline mode
8. Operation
BRKSEC-2030 119
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ImplementationAdding a FirePOWER device into Firepower Management Center
1. On the FirePOWER device, identify the Firepower Management Center that will be managing the device. This can be done via CLI or LCD panel * or GUI *
2. On the Firepower Manager, navigate to Device Manager to add the new device
> Configure manager add 10.89.145.102 cisco123Manager successfully configured.
CLI: FMC IP address
and key
Device IP address and
registration key
Licenses applied to
FireSIGHT MC
* LCD Panel/GUI option only apply to physical FirePOWER appliances
Default Access Control
Policy
GU
I: F
MC
IP
addre
ss
and k
ey
BRKSEC-2030 120
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ImplementationBasic Configuration
Access Control Policy
IPS policy
Default Action
BRKSEC-2030 122
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ImplementationPolicies
• Platform and System Policy: manages system-level settings such as audit logs, mail relay, etc
• Health Policy: a collection of health module settings to check the health of devices
• Network Discovery Policy: defines how the system collects data of network assets
• Malware & File Policy: used to perform AMP and file filtering
• Intrusion Policy: defines IPS rules to be enabled for inspection
• SSL Policy: defines what traffic to decrypt and how to decrypt it
• Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows
• DNS Policy: defines custom DNS policies and the system provided default policy
• Identity Policy: associates traffic with an authoritative identity source (LDAP, AD or ISE)
BRKSEC-2030 123
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Connectivity over Security: ~ 500 Rules
• CVSS Score of 10
• Age of Vulnerability: 1 year and newer
Balanced : ~ 7700 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: 1 year and newer
• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit
Security over Connectivity: ~ 10700 Rules
• CVSS Score of 8 or greater
• Age of Vulnerability: 2 years and newer
• Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect
Maximum Detection: ~ 5600 Rules
• CVSS Score of 7.5 since 2005 with critical rules malware and exploit kit rules
ImplementationWhat are the different Base IPS Policies?
BRKSEC-2030 124
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ImplementationAudit Mode
• Inline deployment without actually affecting traffic
• Disable “Drop when inline” when creating IPS Policy
• In passive deployments, the system cannot affect traffic regardless of the drop behavior
• Events will show “Would have dropped” when the sensor is deployed passively or when “drop when inline” is disabled
Audit Mode
BRKSEC-2030 125
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
OperationFeatures for more effective operation
• Host, User Discovery and Application Identification
• Host Profiles
• Impact Levels
• FireSIGHT Recommendations
• Indications of Compromise
BRKSEC-2030 126
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host discovery
Identifies OS, protocols and
services running on each host
Reports on potential
vulnerabilities present on each host based on the information
it’s gathered
Application identification
FireSIGHT can identify over 1900 unique applications
using OpenAppID
Includes applications that
run over web services such
as Facebook or LinkedIn
Applications can be used as
criteria for access control
User discovery
Monitors for user IDs
transmitted as services are
used
Integrates with MS AD servers
to authoritatively
ID users
Authoritative users can be
used as access control criteria
OperationNetwork Discovery
BRKSEC-2030 127
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host ProfileWhat have we learned?
• All information we know about each host we monitor
• Current and historic users
• Indications of Compromise
• OS, Servers, Applications
• Indications of Compromise
• Malware Detections
• Vulnerabilities
BRKSEC-2030 128
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT Recommendations
• Users information we learned about each host
• Automatically selection of rules that apply to your environment
Impact Assessment
• Correlation of IPS Events with Impact on the Target host
Indications of Compromise
• Tags that indicate a likely host infection has occurred
• FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active.
Network DiscoveryHow is the Information used?
BRKSEC-2030 129
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1
2
3
4
0
IMPACT FLAGADMINISTRATOR
ACTIONWHY
Act Immediately,
Vulnerable
Event corresponds
to vulnerability
mapped to host
Investigate,
Potentially
Vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored
network
Impact AssessmentHow Relevant is the Attack?
BRKSEC-2030 130
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FireSIGHT RecommendationsAutomatic tuning based on your environment
• IPS Rule Recommendations based on what is learned from Network Discovery
• Associates the OS, server, applications detected with rules specific to those assets
• Identifies the current state of rules in your base policy and recommends and/or sets rule state changes
• Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets.
Recommendations
BRKSEC-2030 131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
CnC Connections
Exploit KitsAdmin Privilege
Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises
Dropper Infections
BRKSEC-2030 132
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Deployment Process
Policy
Planning&
Hardware Selection
Implementation&
Operation
Evaluation
BRKSEC-2030 133
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Initially:
• (Fine) tuning
• Continuously:
• Signature Updates
• FireSIGHT Recommendations
• Periodically:
• Vulnerability scan
• Penetration testing
EvaluationIs the IPS Deployment Effective?
BRKSEC-2030 134
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Additional hardware needs
• New software, licensing and Management needs
• Can the current hardware deliver the required performance
• What additional features will we be using?
• Not a 1:1 Migration
• Migration Strategy to use
• How to install a new FirePOWER module on an existing ASA
• How will you migrate your policies and rules
Migrating to FirePOWER NGIPSThings to Consider when migrating
BRKSEC-2030 136
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When replacing an existing service module like Cisco CX or the classic IPS module:
Understand the traffic load the device is seeing
Understand the inspection load the current device is under
Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required
If you run more features, the performance will be impacted
Migrating to FirePOWER Services for ASASizing Guidance when Migrating
BRKSEC-2030 137
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS-only test comparing throughput of FirePOWER Services for ASA to the Legacy IPS module.
Tested using the same 440 byte HTTP Transactional test that was the benchmark for legacy IPS.
5506 5508 5516 5525 5545 5555 5585-10 5585-20 5585-40 5585-60
FirePOWER
Services
On ASA
90 180 300 375 575 725 1200 2000 3500 6000
Classic IPS
on ASANA NA NA 400 600 850 1150 1500 3000 5000
Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS
BRKSEC-2030 138
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.
Model 5506-X 5508-X 5512-X 5516-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60
Classic IPS
Module NA NA 150 NA 400 600 850 1150 1500 3000 5000
FirePOWER
AVC or IPS 90 180 100 300 375 575 725 1200 2000 3500 6000
FirePOWER
IPS + AVC 65 115 75 200 255 360 450 800 1200 2100 3500
FirePOWER
IPS + AVC +
AMP40 85 60 150 205 310 340 550 850 1500 2300
Migrating to FirePOWER Services for ASASizing Guidance when Migrating from Legacy Cisco IPS
BRKSEC-2030 139
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Cut over to FirePOWER in Inline IPS Mode
• Replace legacy IPS with FirePOWER in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic.
2. Cut over to FirePOWER in Inline Audit Mode
• Replace legacy IPS with FirePOWER in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance.
3. Run Both Legacy IPS and FirePOWER IPS in Audit Mode Temporarily
• Connect FirePOWER IPS in Audit mode to the untrusted side of the existing Legacy IPS. Monitor traffic and tune where needed, then complete migration by removing the Legacy IPS and turning off Audit mode. FirePOWER may miss what is blocked by the legacy IPS
4. Run Both Legacy IPS and FirePOWER IDS Temporarily
• Install FirePOWER in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either option 1 or 2, above.
Migrating to FirePOWER NGIPS AppliancesMigration Strategies based on Risk Assessment
BRKSEC-2030 140
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IPS in Audit mode Temporarily
Audit Mode
BRKSEC-2030 141
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to FirePOWER NGIPS AppliancesBoth Legacy IPS and FirePOWER IDS Temporarily
BRKSEC-2030 142
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco Legacy IPS to FirePOWER NGIPS Migration Guidance Tool
• Consumes a Cisco IPS configuration file and generates a recommendations document
• Standalone IPS appliances as well as ASA IPS Modules
• Areas of focus: Network Insertion, Policies and Signatures/rules
• Matches Snort rules to Cisco IPS signatures
• https://fwm.cisco.com
• Cisco Legacy IPS to FirePOWER NGIPS Migration Guide
• Focused on standalone Appliances
• Explains FirePOWER in Cisco terminology
• BRKSEC-2018 - Tips and Tricks for Successful Migration to FirePOWER Solutions
Migrating to FirePOWER NGIPS AppliancesMigration Tool, Guide and Training
BRKSEC-2030 143
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• NGIPS extends classic IPS with Application awareness, Contextual awareness and Content awareness to provide automation and reduce complexity
• Cisco NGIPS is Available as FirePOWER appliances, Virtual form factor and FirePOWER Services for the ASA
• Multiple Deployment Options to address a multitude of
• Use Cases / Locations
• Connection Needs
• Performance Requirements
• High Availability and Scaling
• Management Requirements
• Migrating to FirePOWER Appliances involves determining additional hardware, software, licensing and management needs
Deploying IPSConclusion
BRKSEC-2030 145
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKSEC-2030 146
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-2030 147
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Cisco Education OfferingsCourse Description Cisco Certification
CCIE Security Expert Level certification in Security, for comprehensive understanding of security
architectures, technologies, controls, systems, and risks.
CCIE® Security
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
CCNA® Security
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Designed for security analysts who work in a Security Operations Center, the
course covers essential areas of security operations competency, including event
monitoring, security event/alarm/traffic analysis (detection), and incident response
Cisco Cybersecurity Specialist
Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKSEC-2030 150
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 151BRKSEC-2030
Security Joins the Customer Connection ProgramCustomer User Group Program
19,000+
Members
Strong• Who can join: Cisco customers, service
providers, solution partners and training partners
• Private online community to connect with peers & Cisco’s Security product teams
• Monthly technical & roadmap briefings via WebEx
• Opportunities to influence product direction
• Local in-person meet ups starting Fall 2016
• New member thank you gift* & badge ribbon when you join in the Cisco Security booth
• Other CCP tracks: Collaboration & Enterprise Networks
Join in World of Solutions
Security zone Customer Connection stand
Learn about CCP and Join
New member thank-you gift*
Customer Connection Member badge ribbon
Join Online
www.cisco.com/go/ccp
Come to Security zone to get your new member gift*
and ribbon
* While supplies last