next generation firewall- clle

Local Edition

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Local Edition

Cisco ASA NGFW Technical Deep Dive Clark Gambrel Consulting Systems Engineer – Security [email protected]

The world Is Changing – The Era of an Internet Make Over The Paradox for us as Security Professionals

4

VS.

Mobility Threats / APT Cloud Virtualization Devices Collaboration Apps BYOD HTTPS/SSL IPv6

SECURITY

Why Do I Need / Want Next Generation Firewalling? •  Pure visibility of network and application usage?

Is TCP Port 80 traffic really HTTP?

•  Identity Firewalling? How can I make access rules based on individual users and groups?

•  What CAN I block? How can I allow social media for my business and still block the unproductive games?

•  Acceptable Use? How can I ensure my users are not breaking policy?

•  Threat Defense? How can I defend against Day-Zero attacks to my network?

5

The ASA Next Generation Solution

Apps, Users URL Filtering Web Reputation (SIO)

CX capabili*es

Industry’s most widely deployed stateful inspection FW & remote access solution

ASA CX “solu1on”

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

TCP Proxy

TLS Proxy

AVC Multiple Policy Decision Points

HTTP Inspection

URL Category/Reputation

ASA CX ASA

Layer 3/4 Firewall Still Needed?

Cisco ASA CX Main Features

•  User ID / Ac1ve & Passive Authen1ca1on •  Applica1on visbility & Control – Broad and Web •  SSL/TLS Decryp1on •  HTTP inspec1on •  Web Reputa1on •  URL filtering •  Repor1ng •  Even1ng •  Layer 3/7 access rules

8

Apps, Users: Business Problems Solved

Business Problem Addressed By ASA CX Example Apps

Bandwidth misuse View usage of Peer-to-Peer applications

Sensitive company data uploaded to the cloud Control usage of file sharing applications

Employee productivity Block non-productivity-related applications, while still allowing general access to social networking

Malware writers taking control of machines through remote control apps

Block remote control applications, while allowing WebEx

Malware masquerading as a well-known app

Identify and control applications that operate on well-known open ports

Apps, Micro-apps and App Behavior

App Support

75k+ MicroApps

MicroApp Engine

Deep classifica1on of targeted traffic

App Behavior

Control user interac1on with the applica1on

Broad… … classifica1on of all traffic

1,000+ apps

Granular App Control

Jul Aug Sep

http://www.asacx-cisco.com/

•  Ameba •  Yahoo! Mobage •  2Channel •  Pinterest: Block File Upload, Block

Posting Text, Block Like •  Yandex

Nov •  Winamp Remote •  Gree •  Google Drive: Upload, Download, Sharing,

Editing

•  Scribd: Upload, Download, Post

•  SkyDrive: Upload, Download, Editing

•  SmugMug: Upload, Download, Like, Sharing •  Microsoft Windows Azure •  Salesforce CRM •  Msft CRM Dynamic •  iscsi-target •  LogMeIn •  Mikogo •  Oracle e-Business Suite

Unencrypted Traffic •  Google Services

Dec

•  eBay •  FileDropper •  Mixi •  AOL Mail: Download attachment, Upload

attachment, Send email

•  Photobucket: Upload file, Download file, Share

•  Dailymotion: Upload file, Post, Site Content Enforcement

•  Answers.com: Post •  DocStoc: Upload file, Download file

•  Microsoft Lync •  Gbridge

Jan

•  Tor •  ShowMyPC •  Facetime •  Yahoo-Accounts •  Camo-proxy •  Glide •  Nico Nico Douga •  Twiddla •  Suresome •  Techinline •  Vimeo: Upload, Download, Post text

Feb

hYp://www.asacx-‐cisco.com/

Application Development – www.asa-cx.com

URL Filtering: Business Problems Solved

Business Problem Addressed By ASA CX

Enforcing HR acceptable use policy Block certain web site categories for everyone: Adult, Child Abuse Content, Gambling, Hate Speech, Illegal Activities, etc

Creating a safe learning environment Deny students but allow faculty access to the following web site categories: Entertainment, Arts, Dining and Drinking, Online Trading

Maintaining employee productivity Deny employees access to the following web site categories: Sports and Recreation, Travel, Photo Search and Images

Controlling bandwidth-hungry sites Deny users access to the following web site categories: File Transfer Services, Freeware and Shareware, Illegal Downloads, Internet Telephony

Users circumventing policy Block proxies that allow you to surf the internet anonymously

URL: Industry-leading coverage and efficacy

Content Filtering

Marke1ng Legal Finance

Web Reputation: Business Problems Solved

Business Problem Addressed By ASA CX

Zero-day malware getting through traditional defenses

Malware gets constantly tweaked so that desktop/network AV does not detect it. New malware is released in the wild for <24 hours. Web Reputation is always able to block it even if the payload had changed.

Social engineering attacks You get a URL link in Facebook chat, saying “Check out this cool video!”. You click the link. Web Reputation blocks that specific transaction, while allowing general access to Facebook.

Infected machines sending data out ASA’s Botnet Traffic Filter detects and blocks all attempts to contact command-and-control centers / Botnet masters

Senderbase

Over 700K global sensors

Over 100M endpoints

5B web requests per day

Visibility into 35% of global email Global correla1on & so much more

Dynamic Updates

Every 3 -‐ 5 minutes

For every security product

Over 3K IPS signatures

Over 200 parameters tracked

Over 8M rules per day Threat Opera5ons Center

Over $100M in Dynamic R&D

Over 500 engineers, technicians & researchers

Over 40 languages

24x7x365 opera1ons

Over 100 security patents

SIO In Action Popular sport of the day - Phishing

hYp://www.carltoncupcakes.co.uk/web/nbtadf/caasav/5c3a91801f4553e7ba154429f3be5150/mfwidws.html

SIO In Action Today’s Catch - Malware

SIO In Action This One Didn’t Get Away

Topics of Interest

•  Hardware Overview

•  Software Overview

•  Packet Flow

•  Management Architecture

•  Traffic Redirection

•  ASA vs CX vs WSA vs CWS

Hardware Overview

23

Supported Hardware Platforms

ASA 5500-X supported ASA 5585-X SSP10 & 20 supported

24

Performance and

Scalability

Data Center Campus Branch Office Internet Edge

ASA 5585-‐X SSP-‐20 (10 Gbps, 125K cps)




ASA 5555-‐X (4 Gbps,50K cps)

ASA 5545-‐X (3 Gbps,30K cps) ASA 5525-‐X

(2 Gbps,20K cps)

ASA 5512-‐X (1 Gbps, 10K cps)

ASA 5515-‐X (1.2 Gbps,15K cps)

SOHO ROADMAP

24

ASA CX

•  Hardware blade on 5585-x

•  Software Install on 5500-x

•  SSP-10 and SSP-20 today

•  SSP-40/60 Q4CY13

ASA CX – Front View

Two Hard Drives Raid 1 (Event Data)

10GE and GE ports Two GE Management Ports

New 8 GB eUSB (System) New

Feature ASA5500x ASA5585-SSP

Storage •  SSD •  120GB capacity •  “show inventory” on ASA will show SSD

details •  ASA will shutdown CX service when all

storage devices have been removed

•  Spinning hard drives •  600GB capacity

RAID •  Supported only on 5545 & 5555 •  RAID CLI is on ASA

•  Supported on both SSP10 and SSP20 •  RAID CLI is on CX

Console & Management

•  CX console is thru ASA CLI •  Shares management port with ASA

•  Dedicated Console •  Dedicated Management port

CX - PRSM features

•  All features are supported •  All features are supported

CX on 5585x vs 5500x

SSP-10 SSP-20

Processors Multi-core 64-bit Multi-core 64-bit

Maximum Memory 12 GB (6 GB per blade) 24 GB (12 Gb per blade)

Maximum Storage 8 GB eUSB,

600 GB Hard Disk Raid1 / Hotswappable

8 GB eUSB, 600 GB Hard Disk

Raid1 / Hotswappable

Ports 2 x 10 Gb SFP+

8 x 1Gb Cu 2 x 1Gb Cu Mgmt

2 x 10Gb SFP+ 8 x 1Gb Cu

2 x 1Gb Cu Mgmt

Crypto Chipset Yes Yes

29

Feature ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

AVC + WSE 200 Mbps 350 Mbps 650 Mbps 1 Gbps 1.4 Gbps

Traffic Profile -‐ EMIX

ASA 5500-X NGFW Performance

30

ASA CX SSP 10

ASA CX SSP 20

Throughput Multi-Protocol 2 Gbps 5 Gbps

Concurrent Connections 500,000 1,000,000

New Connections per second 40,000 75,000

Source: Placeholder for Notes is 12pts

ASA 5585-X NGFW Performance