Date post: | 20-Oct-2015 |
Category: |
Documents |
Upload: | amarpreet-singh |
View: | 201 times |
Download: | 0 times |
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
NGFW Services Review
Peregrine – What is new in NGFW
Policy Enhancements
IPS
Demonstration
Rate Limiting
Multi-mode
Warning Feature
Licensing and Pricing
Questions and Answers
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 3
NGFW Services Refresher
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
Botnet Traffic Filter
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision
Points
HTTP Inspection
URL Category/Reputation
NGFW IPS
NGFW Services Module
ASA Module
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Broad AVC
Web AVC
Broad protocol support Resides in data plane Less granular control Supports:
Application types – for example email Applications – for example
Simple Mail Transfer Protocol
HTTP and decrypted HTTPS only More granular control Supports:
Application types – for example, Instant Messaging Applications – for example, Yahoo Messenger Application behavior – for example, File Transfer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Default web reputation profile Suspicious
(-10 through -6) Not suspicious (-5.9 through +10)
-10! +10!-5! +5!0!
Dedicated or hijacked sites!persistently distributing !key loggers, root kits and !other malware. Almost !guaranteed malicious.
Aggressive Ad syndication !and user tracking networks. !Sites suspected to be !malicious, but not confirmed!
Sites with some history of!Responsible behavior !or 3rd party validation!
Phishing sites, bots, drive !by installers. Extremely !likely to be malicious.!
Well managed, !Responsible content!Syndication networks and !user generated content!
Sites with long history of!Responsible behavior.!Have significant volume !and are widely accessed!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Used within polices
• Utilized after the policy has been matched
File filtering profile
• Blocks the download of specific MIME types • Blocks the upload of specific MIME types
Web reputation profile
• Specifies threshold value for web reputation filter • Default profile sets threshold to -6
Next-generation IPS profile
• Specifies threshold values for NGFW IPS • Default: Block & Monitor 70, Allow & Monitor 40
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Two separate sessions, separate certificates and keys
• ASA CX acts as a CA, and issues a certificate for the web server
Corporate network
Web server
1. Negotiate algorithms.
1. Negotiate algorithms.
2. Authenticate server certificate. 3. Generate proxied
server certificate. 4. Client Authenticates “server” certificate.
5. Generate encryption keys.
5. Generate encryption keys.
6. Encrypted data channel established.
6. Encrypted data channel established.
ASA CX The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Cert is generated dynamically with destination name but signed by ASA CX.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 10
NGFW NEW
Peregrine Release
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Support for Active/Standby PRSM can discover HA configuration and treat HA pair as a single device (policy configuration, reporting)
• Next Generation IPS
• Platform support Platform support has been added for SSP 40, 60 NGFW is now available on all midrange and all high-end models of ASA
Peregrine has added the following features:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Time ranges
• Interface roles – collections of interfaces that can be used to construct policies
• Rate limits
• Safe Search
Note: Not all features are available for all types of policies.
Peregrine has added the following features:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Policy sets can have different scopes: ̶ Universal – policy set is shared by all devices ̶ Shared – policy set is shared among some devices ̶ Local – policy set only applies to one device
• At the top is the universal top context-aware access policy set, applied first • At the bottom is the universal bottom context-aware access policy set, applied last
New with NGFW 9.2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Available in Peregrine release
• Policy driven by risk acceptance
• Threats are the focus not signatures
• IPS policy a part of the overall NGFW access policy
• References Application Awareness
• References source reputation
• Daily hourly updates available:
Threats /Signatures
Reputation feeds Parsing engines
Simplified Operation Rich Policy Options Highly Dynamic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• NGFW IPS Feature available through license
• NGFW IPS ON/OFF switch
• Blocking of traffic sourced from blacklisted IPs
• Option to exclude high reputation traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Risk Based Control
• 3 ranges Block and Monitor Allow and Monitor Don’t Monitor
• Customizable exceptions
Available in Peregrine release
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Threat Profile Field
• Use Custom IPS Profile or the Device Level profile
• Different profiles can be applied to different subset of traffic
• Selection criteria include 5-tuple, user and application
Available in Peregrine release
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Important to remember:
• At the Access policy view, Profiles are NOT visible
• Access policies will have the “local” Device Level Profile automatically applied
• Be certain to open the Profile tab of your Access policy to understand what is there
• Do this for ALL Access policies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Threats • Risk-focused settings • Edge-focused coverage • Automatic engine/
signature update • Consumption of App ID and Web
Security data
• Signatures • Broad coverage • Tunable and Custom signatures • Wide range of Event Actions
Available in Peregrine release
Effective
Dedicated
Sim
ple
Integrated
D
C-ready
Cus
tom
izab
le
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• Threats What the attack is about – its target and potential impact 730+ Threats
• Signatures The means of detecting a threat 950+ Signatures
• Engines The parser that applies signatures to the traffic Borrowed / repurposed / improved – “different” Can be updated without a “dot” release – delivered with sig updates
• Release Plans Expand beyond classic IPS default NGFW signatures will parallel classic IPS releases starting December, 1 day lag by February
Threats:
Signatures:
Engines
Release Plans
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
0
10
20
30
40
50
60
70
80
90
100
1 19
37
55
73
91
109
127
145
163
181
199
217
235
253
271
289
307
325
343
361
379
397
415
433
451
469
487
505
523
541
559
577
595
613
631
649
667
685
703
721
739
757
775
793
811
829
847
865
883
901
919
937
955
973
991
1009
10
27
1045
10
63
1081
10
99
1117
11
35
1153
11
71
1189
12
07
1225
12
43
1261
Threat Rating
Signature Count
NGFW - IPS IPS
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 24
Demonstration
Stijn Vanveerdeghem
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 25
Rate Limiting and Safe Search
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
New with NGFW 9.2
Allows context-aware access policies only
Limits bandwidth usage per policy
Excessive packets are dropped
Rate limit is an obligation attached to the policy
Allotted bandwidth is shared between all flows that match the policy
C97-729687-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
New with NGFW 9.2
Allows context-aware access policies only
Blocks searches on supported search engines if:
• Safe Search is enabled in a matching access policy and Safe Search is disabled in a browser
Blocks searches on supported search engines if:
• Google • Yahoo • Bing • Ask • Duckduckgo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• When a policy is installed, create a bucket to contain the traffic that hits the policy.
• Several flows can match the policy. All of them are rate-limited using a single bucket.
• The flows may match only after the evaluation from an Inspector (say HTTP or TLS). In those cases, the data-plane will wait for the flags to be set from the inspector before negotiating the flow to a bucket.
• A change in policy, may result in removal of rate-limit obligation. Bucket exists till the flows exist.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
•
Available with Peregrine release
• Web reputation filtering can now be applied to HTTPS traffic • Uses the FQDN from the certificate to determine the web reputation of the server
Web Reputation filtering support for HTTPS
Enforce certificate best practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Aimed to improve “Connections per second” performance of Decryption Engine
• Decryption Engine generated replacement certificates for every TLS connection.
• Once generated replacement certificates are cached now and reused for following ssl requests to the same servers.
• Decryption engine keeps a list of certificate authority certificates it trusts.
• Existing CA list updated to match the CA’s trusted by Firefox browser (list posted by Mozilla)
Certificate Caching
Trusted CA list updated
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 33
CX support for Multimode ASA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Adds CX support for multimode ASA (routed, tfw or mixed).
• Each context should configure CX redirection specifically.
• CX as a single instance works with ASA by using vcid per transaction.
• CX policies are global and applicable to all contexts on the ASA.
• Active authentication is supported with auth proxy port configurable.
• PRSM Events displays context names.
• Interface roles are context aware.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36
Licensing and Pricing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Step 1: Which hardware is needed à ASA-X with SSD or ASA 5585-X with CX SSP Step 2: What service is needed à Application Visibility & Control, Web Security, NGFW IPS or Bundles Step 3: How long is the service needed à 1, 3, or 5 years
Hardware License Duration Application Visibility & Control (AVC)
Web Security Essentials (WSE)
Next-Generation Firewall IPS (NGFW IPS)
ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)
1 year ASA5512-AP1Y ASA5512-WS1Y ASA5512-IP1Y
3 years ASA5512-AP3Y ASA5512-WS3Y ASA5512-IP3Y
5 years ASA5512-AP5Y ASA5512-WS5Y ASA5512-IP5Y
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9)
1 year ASA5515-AP1Y ASA5515-WS1Y ASA5515-IP1Y
3 years ASA5515-AP3Y ASA5515-WS3Y ASA5515-IP3Y
5 years ASA5515-AP5Y ASA5515-WS5Y ASA5515-IP5Y
ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9)
1 year ASA5525-AP1Y ASA5525-WS1Y ASA5525-IP1Y
3 years ASA5525-AP3Y ASA5525-WS3Y ASA5525-IP3Y
5 years ASA5525-AP5Y ASA5525-WS5Y ASA5525-IP5Y
ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9)
1 year ASA5545-AP1Y ASA5545-WS1Y ASA5545-IP1Y
3 years ASA5545-AP3Y ASA5545-WS3Y ASA5545-IP3Y
5 years ASA5545-AP5Y ASA5545-WS5Y ASA5545-IP5Y
ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
1 year ASA5555-AP1Y ASA5555-WS1Y ASA5555-IP1Y
3 years ASA5555-AP3Y ASA5555-WS3Y ASA5555-IP3Y
5 years ASA5555-AP5Y ASA5555-WS5Y ASA5555-IP5Y
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Hardware License Duration AVC+WSE AVC+NGFW IPS AVC+WSE+NGFW IPS ASA 5512-X with SSD
(ASA5512-SSD120-K8, ASA5512-SSD120-K9)
1 year ASA5512-AW1Y ASA5512-AI1Y ASA5512-AWI1Y
3 years ASA5512-AW3Y ASA5512-AI3Y ASA5512-AWI3Y
5 years ASA5512-AW5Y ASA5512-AI5Y ASA5512-AWI5Y
ASA 5515-X with SSD (ASA5515-SSD120-K8, ASA5515-SSD120-K9)
1 year ASA5515-AW1Y ASA5515-AI1Y ASA5515-AWI1Y
3 years ASA5515-AW3Y ASA5515-AI3Y ASA5515-AWI3Y
5 years ASA5515-AW5Y ASA5515-AI5Y ASA5515-AWI5Y
ASA 5525-X with SSD (ASA5525-SSD120-K8, ASA5525-SSD120-K9)
1 year ASA5525-AW1Y ASA5525-AI1Y ASA5525-AWI1Y
3 years ASA5525-AW3Y ASA5525-AI3Y ASA5525-AWI3Y
5 years ASA5525-AW5Y ASA5525-AI5Y ASA5525-AWI5Y
ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9)
1 year ASA5545-AW1Y ASA5545-AI1Y ASA5545-AWI1Y
3 years ASA5545-AW3Y ASA5545-AI3Y ASA5545-AWI3Y
5 years ASA5545-AW5Y ASA5545-AI5Y ASA5545-AWI5Y
ASA 5555-X with SSD (ASA5555-2SSD120-K8, ASA5555-2SSD120-K9)
1 year ASA5555-AW1Y ASA5555-AI1Y ASA5555-AWI1Y
3 years ASA5555-AW3Y ASA5555-AI3Y ASA5555-AWI3Y
5 years ASA5555-AW5Y ASA5555-AI5Y ASA5555-AWI5Y
Spare Solid State Drive (SSD) for existing ASA 5500-X customers
ASA5500X-SSD120=
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Hardware License Duration Application Visibility & Control (AVC)
Web Security Essentials (WSE)
Next-Generation Firewall IPS (NGFW IPS)
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9)
1 year ASA5585-10-AP1Y ASA5585-10-WS1Y ASA5585-10-IP1Y
3 years ASA5585-10-AP3Y ASA5585-10-WS3Y ASA5585-10-IP3Y
5 years ASA5585-10-AP5Y ASA5585-10-WS5Y ASA5585-10-IP5Y
ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9)
1 year ASA5585-20-AP1Y ASA5585-20-WS1Y ASA5585-20-IP1Y
3 years ASA5585-20-AP3Y ASA5585-20-WS3Y ASA5585-20-IP3Y
5 years ASA5585-20-AP5Y ASA5585-20-WS5Y ASA5585-20-IP5Y
ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9)
1 year ASA5585-40-AP1Y ASA5585-40-WS1Y ASA5585-40-IP1Y
3 years ASA5585-40-AP3Y ASA5585-40-WS3Y ASA5585-40-IP3Y
5 years ASA5585-40-AP5Y ASA5585-40-WS5Y ASA5585-40-IP5Y
ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
1 year ASA5585-60-AP1Y ASA5585-60-WS1Y ASA5585-60-IP1Y
3 years ASA5585-60-AP3Y ASA5585-60-WS3Y ASA5585-60-IP3Y
5 years ASA5585-60-AP5Y ASA5585-60-WS5Y ASA5585-60-IP5Y
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Hardware License Duration AVC+WSE AVC+NGFW IPS AVC+WSE+NGFW IPS
ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9)
1 year ASA5585-10-AW1Y ASA5585-10-AI1Y ASA5585-10-AWI1Y
3 years ASA5585-10-AW3Y ASA5585-10-AI3Y ASA5585-10-AWI3Y
5 years ASA5585-10-AW5Y ASA5585-10-AI5Y ASA5585-10-AWI5Y
ASA 5585-X CX SSP-20 (ASA5585-S20C20-K8, ASA5585-S20C20-K9, ASA5585-S20C20XK9)
1 year ASA5585-20-AW1Y ASA5585-20-AI1Y ASA5585-20-AWI1Y
3 years ASA5585-20-AW3Y ASA5585-20-AI3Y ASA5585-20-AWI3Y
5 years ASA5585-20-AW5Y ASA5585-20-AI5Y ASA5585-20-AWI5Y
ASA 5585-X CX SSP-40 (ASA5585-S40C40-K8, ASA5585-S40C40-K9, ASA5585-S40C40XK9)
1 year ASA5585-40-AW1Y ASA5585-40-AI1Y ASA5585-40-AWI1Y
3 years ASA5585-40-AW3Y ASA5585-40-AI3Y ASA5585-40-AWI3Y
5 years ASA5585-40-AW5Y ASA5585-40-AI5Y ASA5585-40-AWI5Y
ASA 5585-X CX SSP-60 (ASA5585-S60C60-K8, ASA5585-S60C60-K9, ASA5585-S60C60XK9)
1 year ASA5585-60-AW1Y ASA5585-60-AI1Y ASA5585-60-AWI1Y
3 years ASA5585-60-AW3Y ASA5585-60-AI3Y ASA5585-60-AWI3Y
5 years ASA5585-60-AW5Y ASA5585-60-AI5Y ASA5585-60-AWI5Y
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Cisco Prime Security Manager VMWare Virtual Appliance PIDs Description
PRSMv9-SW-5-K9 Prime Security Manager - Software - 5 Device Management
PRSMv9-SW-10-K9 Prime Security Manager - Software - 10 Device Management
PRSMv9-SW-25-K9 Prime Security Manager - Software - 25 Device Management
PRSMV9-SW-50-K9 Prime Security Manager - Software - 50-Device Management
PRSMV9-SW-100-K9 Prime Security Manager - Software - 100-Device Management
Cisco Prime Security Manager VMWare Physical Appliance PIDs Description
PRSM-HW1-25-K9 Prime Security Manager - Appliance - 25 Device Management
PRSMv9-HW-50-K9 PRSM - Appliance - 50-Device Management
PRSMv9-HW-100-K9 PRSM - Appliance - 100-Device Management
• VMWare ESX based virtual appliance or Physical appliance (bundles hardware and software)
• Licensing based on the number of ASA NGFWs that will be managed using the product