Cisco ASA with FirePOWER services

Eric Kostlan, Technical Marketing Engineer

Security Technologies Group, Cisco Systems

LABSEC-2339

• Introduction to Lab Exercises

• Platforms and Solutions

• ASA with Firepower Services Architecture

Agenda

3

Introduction to Lab Exercises

4

Session Objectives

5

Upon successful completion of this session, the attendee will be able to understand how Sourcefire technologies are deployed on the ASA.

In addition, many of the new Firepower 6.0 features will be covered

The lab assumes some familiarity with the ASA. Familiarity with Sourcefire is useful, but not necessary.

Disclaimer:This is neither comprehensive ASA training nor comprehensive Sourcefire training. The focus of this lab is how the two are integrated.

Expectations

• There are 8 labs

• You should be able to complete the first 4 lab exercises in the time allotted

• If you want to have more time to work on a lab, you can:

• Work on these labs from your hotel over the rest of the week.

• Contact me erkostla@cisco.com starting next week, and we can work something out.

• The lab exercise flow is shown below. More details about lab exercise dependencies appear on Page 3 of the Student Guide.

Lab Exercises

7

• Lab Exercise 1: Initial SFR Configuration

• Lab Exercise 2: Basic Policy Configuration

• Lab Exercise 3: Security Intelligence

• Lab Exercise 4: Snort and OpenAppID

• Lab Exercise 5: SSL Decryption

• Lab Exercise 6: File Policy Configuration

• Lab Exercise 7: Identity

• Lab Exercise 8: Domains

Lab Exercises and new 6.0 features

8

• Lab Exercise 1: Initial SFR Configuration One box management

• Lab Exercise 2: Basic Policy Configuration Policy Hierarchy

• Lab Exercise 3: Security Intelligence URL based SI, DNS sinkholing

• Lab Exercise 4: Snort and OpenAppID AVC using OpenAppID

• Lab Exercise 5: SSL Decryption SSL Decryption on ASA with FP

• Lab Exercise 6: File Policy Configuration Enhanced AMP capabilities

• Lab Exercise 7: Identity Active authentication, ISE for passive authentication

• Lab Exercise 8: Domains Multi-tenancy for management

Platforms and Solutions

9

What is Cisco Firepower?

10

• Snort created

• Created by Martin Roesch in 1998

• Snort is both a language and an engine

• Open source rapidly adopts and develops Snort

• Sourcefire founded

• Founded in 2001 by Martin Roesch

• Created a commercial version of Snort

• Sourcefire acquires Immunet cloud based anti-malware vendor

• Acquisition completed 2011

• Cisco acquires Sourcefire

• Acquisition completed 2013 for $2,700,000,000

• Historical perspective

Cisco IPS and firewall offerings

11

• ASA

• Traditional firewall

• Firepower appliances

• Stand alone NGIPS

• Limited firewall capabilities

• ASA with Firepower Services

• Combination of ASA and Firepower

• Complete feature set from both solutions

• Next Generation Firewall (NGFW) – to be released in March

• Integrated data plane

• Integrated management

Cisco ASA Firewalls

ASA 5585 SSP20 (10 Gbps,

140K conn/s)

ASA 5585 SSP40(20 Gbps,

240K conn/s)

ASA 5585 SSP60(40 Gbps,

350K conn/s)

ASA 5585 SSP10(4 Gbps,

65K conn/s)

Teleworker Branch Office Internet Edge Data CenterCampus

Firewall and VPN

Next-Generation

ASA 5515-X(750 Mbps, 15K conn/s)

ASA 5525-X(2 Gbps,

20K conn/s)

ASA 5545-X(3 Gbps,

30K conn/s)

ASA 5512-X(500 Mbps, 10K conn/s)

ASA 5555-X(4 Gbps,

50K conn/sec)

ASA 5506-X (750 Mbps, 5K conn/s)

ASA 5508-X (1Gbps,

10K conn/s)

ASA 5516-X (1.8 Gbps,

20K conn/s)

12

Scaling Provided by Clustering• Up to 16 ASAs-X

• For ASA 5586-X• FW MAX Throughput: 640 Gbps• FirePOWER IPS 440 Byte

Throughput: 96 Gbps

• Each Sourcefire Sensor is anindependent instance• ASAs share connection state

information• Sourcefire Sensors do not share

signature state information

• State-sharing between firewalls for symmetry and high availability• Every session has a Primary Owner Ownership managed

by Director node• ASA provides traffic symmetry to FirePOWER module

13

Multi-Context Support

14

• Security contexts share a single Sourcefire instance

• Context IDs are passed from the ASA to Sourcefire when ASA interfaces are discovered.

• Events passed to FireSIGHT conclude Context IDs.

Firepower Integration into Cisco Products

FP 8000 Series

2 Gbps – 60 Gbps

NGIPS

15

Securing the Internet of Things

16

• Software

• Firewall: ASA

• IPS: Sourcefire FirePOWER Services

• Identify and block threats

• Generic

• OT protocol specific

• OT application specific

• Application Visibility and Control

• Protocols

• Applications

• Individual commands

• Industrial Security Appliance (ISA)

ASA with Firepower Services Architecture

17

ASA with FirePOWER Services

18

• Functional Distribution of Features

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

Botnet Traffic Filter

Advanced Malware Protection

File Type filteringApplication Visibility and Control

NGIPS

URL Category/Reputation

File captureFirePOWER Services

ASA

SSL decryption

Security Intellegence

ASA 5585-X with FirePOWER Services

19

• ASA Module processes all ingress and egress packets

• No packets aredirectly processedby FirePOWERexcept for theFirePOWER management port

• ASA configuresand controls theFirePOWERServices Module

• Logical flowis similar formid-range ASAs

• Packet flow overview

ASA with FirePOWER Services

20

• Packet flow between the solution components

1. Ingress processing – inbound ACLs, IP defragmentation, TCP normalization, TCP intercept, protocol inspection, clustering/HA traffic control, VPN decryption, etc.

2. Sourcefire Services processing – URL filtering, AVC, NGIPS, AMP, etc.

3. Egress processing – outbound ACLs, NAT, routing, VPN encryption, etc.

• Packets are redirected using the Cisco ASA Modular Policy Framework (MPF)

• MPF supports fail-open, fail-closed and monitor only options

• MPF determines which traffic is send to the FirePOWER Services module

• 5.4 FirePOWER physical appliances

Sample Solution Architecture with Management

Sample Solution Architecture with Management

Call to Action

• Visit the World of Solutions for

• Cisco Campus

• Walk in Labs

• Technical Solution Clinics

• Meet the Engineer

• Lunch and Learn Topics

• DevNet zone related sessions

Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

Thank you

What is Snort?

27

• Snort is an engine

• Parses network protocols

• Snort is a language

• Rules to analyze network traffic

• Snort is a community

• More that 400,000 active members

network

Packet decoder

Alert and log files

Preprocessors

Detection engine

Output module

DAQ libraries

Network

Best Practice physical configuration (5500-X)

28

• ASA managed in-band (from the “inside” interface)

• FirePOWER module managed via the M0/0 Management Interface

• No nameif assigned to the ASA M0/0 Interface

• ASA Inside Interface and FirePOWER Management can share the same Layer 2 domain and IP subnet

• Access from the “inside” to the FirePOWER module through switch/router, without ASA involvement