next generation firewall- clle
DESCRIPTION
The Next Generation Fire wall is important because it provides visibility of your network and application usage. The world of the internet is changing and the internet needs a makeover. Cisco Live Sled East, Cisco Live Local Edition (CLLE)TRANSCRIPT
Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Cisco ASA NGFW Technical Deep Dive Clark Gambrel Consulting Systems Engineer – Security [email protected]
The world Is Changing – The Era of an Internet Make Over The Paradox for us as Security Professionals
4
VS.
Mobility Threats / APT Cloud Virtualization Devices Collaboration Apps BYOD HTTPS/SSL IPv6
SECURITY
Why Do I Need / Want Next Generation Firewalling? • Pure visibility of network and application usage?
Is TCP Port 80 traffic really HTTP?
• Identity Firewalling? How can I make access rules based on individual users and groups?
• What CAN I block? How can I allow social media for my business and still block the unproductive games?
• Acceptable Use? How can I ensure my users are not breaking policy?
• Threat Defense? How can I defend against Day-Zero attacks to my network?
5
The ASA Next Generation Solution
Apps, Users URL Filtering Web Reputation (SIO)
CX capabili*es
Industry’s most widely deployed stateful inspection FW & remote access solution
ASA CX “solu1on”
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
ASA CX ASA
Layer 3/4 Firewall Still Needed?
Cisco ASA CX Main Features
• User ID / Ac1ve & Passive Authen1ca1on • Applica1on visbility & Control – Broad and Web • SSL/TLS Decryp1on • HTTP inspec1on • Web Reputa1on • URL filtering • Repor1ng • Even1ng • Layer 3/7 access rules
8
Apps, Users: Business Problems Solved
Business Problem Addressed By ASA CX Example Apps
Bandwidth misuse View usage of Peer-to-Peer applications
Sensitive company data uploaded to the cloud Control usage of file sharing applications
Employee productivity Block non-productivity-related applications, while still allowing general access to social networking
Malware writers taking control of machines through remote control apps
Block remote control applications, while allowing WebEx
Malware masquerading as a well-known app
Identify and control applications that operate on well-known open ports
Apps, Micro-apps and App Behavior
App Support
75k+ MicroApps
MicroApp Engine
Deep classifica1on of targeted traffic
App Behavior
Control user interac1on with the applica1on
Broad… … classifica1on of all traffic
1,000+ apps
Granular App Control
Jul Aug Sep
http://www.asacx-cisco.com/
Granular App Control
Jul Aug Sep
http://www.asacx-cisco.com/
• Ameba • Yahoo! Mobage • 2Channel • Pinterest: Block File Upload, Block
Posting Text, Block Like • Yandex
Nov • Winamp Remote • Gree • Google Drive: Upload, Download, Sharing,
Editing
• Scribd: Upload, Download, Post
• SkyDrive: Upload, Download, Editing
• SmugMug: Upload, Download, Like, Sharing • Microsoft Windows Azure • Salesforce CRM • Msft CRM Dynamic • iscsi-target • LogMeIn • Mikogo • Oracle e-Business Suite
Unencrypted Traffic • Google Services
Dec
• eBay • FileDropper • Mixi • AOL Mail: Download attachment, Upload
attachment, Send email
• Photobucket: Upload file, Download file, Share
• Dailymotion: Upload file, Post, Site Content Enforcement
• Answers.com: Post • DocStoc: Upload file, Download file
• Microsoft Lync • Gbridge
Jan
• Tor • ShowMyPC • Facetime • Yahoo-Accounts • Camo-proxy • Glide • Nico Nico Douga • Twiddla • Suresome • Techinline • Vimeo: Upload, Download, Post text
Feb
hYp://www.asacx-‐cisco.com/
Application Development – www.asa-cx.com
URL Filtering: Business Problems Solved
Business Problem Addressed By ASA CX
Enforcing HR acceptable use policy Block certain web site categories for everyone: Adult, Child Abuse Content, Gambling, Hate Speech, Illegal Activities, etc
Creating a safe learning environment Deny students but allow faculty access to the following web site categories: Entertainment, Arts, Dining and Drinking, Online Trading
Maintaining employee productivity Deny employees access to the following web site categories: Sports and Recreation, Travel, Photo Search and Images
Controlling bandwidth-hungry sites Deny users access to the following web site categories: File Transfer Services, Freeware and Shareware, Illegal Downloads, Internet Telephony
Users circumventing policy Block proxies that allow you to surf the internet anonymously
URL: Industry-leading coverage and efficacy
Content Filtering
Marke1ng Legal Finance
Web Reputation: Business Problems Solved
Business Problem Addressed By ASA CX
Zero-day malware getting through traditional defenses
Malware gets constantly tweaked so that desktop/network AV does not detect it. New malware is released in the wild for <24 hours. Web Reputation is always able to block it even if the payload had changed.
Social engineering attacks You get a URL link in Facebook chat, saying “Check out this cool video!”. You click the link. Web Reputation blocks that specific transaction, while allowing general access to Facebook.
Infected machines sending data out ASA’s Botnet Traffic Filter detects and blocks all attempts to contact command-and-control centers / Botnet masters
Senderbase
Over 700K global sensors
Over 100M endpoints
5B web requests per day
Visibility into 35% of global email Global correla1on & so much more
Dynamic Updates
Every 3 -‐ 5 minutes
For every security product
Over 3K IPS signatures
Over 200 parameters tracked
Over 8M rules per day Threat Opera5ons Center
Over $100M in Dynamic R&D
Over 500 engineers, technicians & researchers
Over 40 languages
24x7x365 opera1ons
Over 100 security patents
SIO In Action Popular sport of the day - Phishing
hYp://www.carltoncupcakes.co.uk/web/nbtadf/caasav/5c3a91801f4553e7ba154429f3be5150/mfwidws.html
SIO In Action Today’s Catch - Malware
SIO In Action This One Didn’t Get Away
Topics of Interest
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
Hardware Overview
23
Supported Hardware Platforms
ASA 5500-X supported ASA 5585-X SSP10 & 20 supported
24
Performance and
Scalability
Data Center Campus Branch Office Internet Edge
ASA 5585-‐X SSP-‐20 (10 Gbps, 125K cps)
ASA 5585-‐X SSP-‐60 (40 Gbps, 350K cps)
ASA 5585-‐X SSP-‐40 (20 Gbps, 200K cps)
ASA 5585-‐X SSP-‐10 (4 Gbps, 50K cps)
ASA 5555-‐X (4 Gbps,50K cps)
ASA 5545-‐X (3 Gbps,30K cps) ASA 5525-‐X
(2 Gbps,20K cps)
ASA 5512-‐X (1 Gbps, 10K cps)
ASA 5515-‐X (1.2 Gbps,15K cps)
SOHO ROADMAP
24
ASA CX
• Hardware blade on 5585-x
• Software Install on 5500-x
• SSP-10 and SSP-20 today
• SSP-40/60 Q4CY13
ASA CX – Front View
Two Hard Drives Raid 1 (Event Data)
10GE and GE ports Two GE Management Ports
New 8 GB eUSB (System) New
Feature ASA5500x ASA5585-SSP
Storage • SSD • 120GB capacity • “show inventory” on ASA will show SSD
details • ASA will shutdown CX service when all
storage devices have been removed
• Spinning hard drives • 600GB capacity
RAID • Supported only on 5545 & 5555 • RAID CLI is on ASA
• Supported on both SSP10 and SSP20 • RAID CLI is on CX
Console & Management
• CX console is thru ASA CLI • Shares management port with ASA
• Dedicated Console • Dedicated Management port
CX - PRSM features
• All features are supported • All features are supported
CX on 5585x vs 5500x
SSP-10 SSP-20
Processors Multi-core 64-bit Multi-core 64-bit
Maximum Memory 12 GB (6 GB per blade) 24 GB (12 Gb per blade)
Maximum Storage 8 GB eUSB,
600 GB Hard Disk Raid1 / Hotswappable
8 GB eUSB, 600 GB Hard Disk
Raid1 / Hotswappable
Ports 2 x 10 Gb SFP+
8 x 1Gb Cu 2 x 1Gb Cu Mgmt
2 x 10Gb SFP+ 8 x 1Gb Cu
2 x 1Gb Cu Mgmt
Crypto Chipset Yes Yes
29
Feature ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
AVC + WSE 200 Mbps 350 Mbps 650 Mbps 1 Gbps 1.4 Gbps
Traffic Profile -‐ EMIX
ASA 5500-X NGFW Performance
30
ASA CX SSP 10
ASA CX SSP 20
Throughput Multi-Protocol 2 Gbps 5 Gbps
Concurrent Connections 500,000 1,000,000
New Connections per second 40,000 75,000
Source: Placeholder for Notes is 12pts
ASA 5585-X NGFW Performance
Module Map
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Architecture
Control Plane
Management Plane
Data Plane – L3-L4, Identity, Broad AVC
HTTP Engine AVC, URL, WBRS Inspection
engines
TLS Proxy
Eventing Reporting
Authentication Identity AD CDA
Cisco Context Directory Agent
Open Ldap
32
Packet data RPC Data
Functional Overview
Compatibility* with existing ASA features
* in Version 1.0
Module Map
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
Packet Flows
37
Packet flow diagram – ASA and ASA CX SSP
• ASA SSP configures and controls CX SSP customer ports
• ASA SSP processes all ingress/egress packets ‒ No packets are directly process by CX SSP except for management ports
Egress aoer CX Processing
CX Ingress ASA Ingress
CPU Complex
Fabric Switch
Crypto or Regex Engine
CX SSP
CPU Complex
Fabric Switch
Crypto Engine
ASA SSP
PORTS
PORTS ASA 5585-‐X Chassis
Backplane
10GE NICs
10GE NICs
Packet flow diagram – ASA decision process
ASA CX
Day-in-the-life of a packet – example non-HTTP traffic
• Note: Details of flow differs for different traffic characteristics
L3/L4 Check Broad AVC Access Policy Packet Egress
Determine Protocol and Application
Deterime L3 and L4 information
Allow or Deny verdict based on access policy
Return packet back to the ASA SSP with an allow verdict
Day-in-the-life of a packet – example HTTP traffic
• Note: Details of flow differs for different traffic characteristics
L3/L4 Check Broad AVC TCP
Proxy
Access Policy HTTP Inspector Packet Egress
Determine Protocol and Application
Deterime L3 and L4 information
Handle TCP 3-way handshake
Determine Application, URL Category, Reputation, User Agent
Allow or Deny verdict based on access policy
Return packet back to the ASA SSP with an allow verdict
Module Map
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
ASA CX Management Architecture .
43
Cisco Prime Security Manager (PRSM)
• Built-in/On-box ‒ Configuration ‒ Eventing ‒ Reporting
• Off-box ‒ Configuration ‒ Eventing ‒ Reporting ‒ Multi-device Manager for ASA CX ‒ Role Based Access Control ‒ Virtual Machine or UCS Appliance (C Series M3) ‒ PRSM Virtual Machine supports VMWare ESX 4.1+
• delete – delete files (cores and package captures)
• setup – configure the IP addresses, hostname, domain, DNS, NTP
• system (reload | shutdown) – reboot or stop the blade
• system (upgrade | revert) – upgrade or downgrade the OS
• services (start | stop) – turn on and off the services including packet inspectors
• ping, nslookup, traceroute – management interface connectivity troubleshooting
• show interface – statistics for management interface
• show opdata – show operational data from the data plane
• show tech-support – outputs for Cisco support troubleshooting
• support tail log – watch the logs on the CLI
• support diagnostics – package and upload a collection of logs and debug info (including packet captures)
• config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTP
What’s Available via CLI
Logs on ASA CX and PRSM
Module Map
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
Sending Traffic to CX SSP
• Use the ASA Modular Policy Framework (MPF) to direct traffic to the CX blade:
Note: You do not have to modify the ASA configuration – PRSM will do that for you.
• PRSM Multi-device applies this when connecting to CX:
policy-map global_policy class class-default cxsc fail-open auth-proxy service-policy global_policy global
Module Map
• Hardware Overview
• Software Overview
• Packet Flow
• Management Architecture
• Traffic Redirection
• ASA vs CX vs WSA vs CWS
ASA CX & WSA/CWS: Feature Overlap & Differences
• URL Filtering
• Web Reputation
• Web Applications (like Facebook, LinkedIn, Twitter)
• User identification
• SSL Decryption
• Policy actions: allow/block
• End user notification
• Top N reports
• Caching (WSA)
• AV Scanning
• Data Loss Prevention
• Explicit Proxy (WSA)
• SOCKS Proxy* (WSA)
• No backhauling (SS)
• Add’l policy actions: Time-based controls, warn
• Inline firewall
• Non-web applications (like Skype, Oracle, SAP)
• Network protocols (like SMTP, DNS, ICMP)
• Layer 3-7 access rules
• Networking capabilities like NAT, Routing, VPN
• Inbound Threat Prevention*
WSA / CWS
ASA CX
* Roadmapped
ASA • Core or Datacenter • Multi-tenant • Active/Active Failover
ASA CX • Campus or Edge • Application Control • Next-gen Firewall
WSA • Secure Web Proxy • Anti-Malware Scan • DLP • Caching • Comprehensive Web Security
ASA CX • Next-gen Firewall • Inline • All ports/protocols • Essentials Web Security
Cloud Web Security
• Reduced equipment cost • Secure mobile/roaming users • Distributed enterprise
ASA CX • On-prem security • Inline • All ports/protocols
PRSM: Centralized Management & Reporting
Application Visibility &
Control
Web Security
Essentials
URL Filtering + Reputation
CX Hardware Identity, Onbox Mgmt & Reporting
ASA Hardware
1Y, 3Y, 5Y subscrip*ons
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live - Orlando
Cisco Live - Orlando June 23 – 27, 2013 www.ciscolive.com/us
55 55