Cisco Firewall Basics
Mark Cairns, Consulting Systems Engineer
BRKSEC-1020
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/clus17/#BRKSEC-1020Cisco Spark spaces will be available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mark Cairns
• Based in Richmond, VA and cover accounts in Virginia and Washington DC
• 19 years experience with Cisco Security Solutions
• You can reach me at [email protected] and @12LISN2
Consulting Systems Engineer, GSSO, supporting US Commercial
BRKSEC-1020 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Information
• This is an introductory 1000 level session
• It is not meant for professionals with deep knowledge of firewalls and Cisco ASA
• This session is not for you if you want to deep dive into configurations for specific features / functionality
• References may be made to advanced functionality for context but we will stay at a fairly high level
Cisco Firewall Basics
BRKSEC-1020 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Follow up SessionsDeeper dives on specific content
BRKSEC-1020 7
Session ID Session Description Time
BRKSEC-2058 A Deep Dive into using the Firepower Manager Wed 4:00-5:30
BRKSEC-3007 Advanced Cisco IOS Security Tuesday 1:30-3:30
BRKSEC-3300 Advanced IPS Deployment Thursday 8:30-10:00
BRKSEC-3690 Advanced Security Group Tags Monday 1:30-3:30
BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Monday 1:30-3:30, Tuesday 1:30-3:30
BRKSEC-2033 Best Security and deployment strategies SMB NGFW Tuesday 8:00-10:00
BRKSEC-2342 Branch Router Security Thursday 10:30-12:00
BRKSEC-2055 Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Wednesday 4-5:30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Follow up SessionsDeeper dives on specific content
BRKSEC-1020 8
Session ID Session Description Time
BRKSEC-2203 Deploying TrustSec Security Group Tagging Tuesday 4:00-5:30
BRKSEC-3455 Dissecting Firepower NGFW "Installation & Troubleshooting" Tuesday 1:30-3:30
BRKSEC-3035 Firepower Platform Deep Dive Wednesday 1:30-3:30
LTRSEC-1000 Firepower Threat Defense Deployment Hands-on Lab Wed 8:00-12:00, Thursday 8:00-12:00
BRKSEC-3032 NGFW Clustering Deep Dive Tuesday 8:00-10:00
BRKSEC-2020 NGFW Deployment in the Data Center and Network Edge Using
Firepower Threat Defense
Tuesday 8:00-10:00, Wed 1:30-3:30
BRKSEC-2064 NGFW and ASAv in Public Cloud (AWS and Azure) Thursday 1:00-2:30
• Introduction
• Firewalls in General
• Use Cases - Why
• Firewall Options - What
• Introduction to Firepower
• Advanced Use Case Examples
• Q&A – Feel free to ask questions
Agenda
Firewalls in General
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing/Hardening for What Purpose or Need?
Subversion
Bots, Viruses, and Worms
Spyware and Adware
Disruption
Denial of service attacks
Advanced Persistent Threats (APTs)
Penetration Attempt
Zero-day Attacks
Hacker Attacks
Data Loss
Data theft and/or interception
Identity theft
BRKSEC-1020 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirewallsWhat are they?
• Primary filtering appliances/VMs that work at both the network and application layers
• Provide a platform for the features/functionality needed for network security
• VPNs (remote-access and site to site)
• NGIPS
• Anti-Malware Protection
• Next-generation security should not abandon proven stateful inspection capabilities in favor of application and user ID awareness by itself
• Comprehensive network security solution needs include firewalls, next-generation firewalls (application inspection and filtering) and next generation intrusion prevention systems (context aware)
• The firewall often is the conduit from which other defense components combat the threats that face the network
BRKSEC-1020 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filtering on a Tuple?
• The genesis of firewalls was initially a means to filter traffic based on the five tuple
• Source IP address – the IP address of the initiator of the IP packet
• Destination IP Address – the IP address of the destination of the IP packet
• Source Port – UDP or TCP port used by initiator to establish communications with destination
• Destination Port – UDP or TCP port used by destination to establish communications with source
• IP Protocol – the specific IP protocol used in the communication
Packet
BRKSEC-1020 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filtering – IP Protocols
• ICMP (1)
• TCP (6)
• UDP (17)
• GRE (47)
• ESP (50)
• AH (51)
• EIGRP (88)
• OSPF (89)
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Packet
BRKSEC-1020 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stateful Inspection
• Most routers and switches can filter based on the five tuple…why a firewall then?
• Stateful firewalls track L3/L4 traffic as it leaves and returns to the network
• Connections are maintained in the connection table tracking five tuple and additional information such as sequence
Packet
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002
Src IP – 2.2.2.2
Dest IP – 1.1.1.1
Src Port – TCP/80
Dest Port – TCP/35478
Src IP – 1.1.1.1
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80*Best Practice – Limit outbound connections to known services and hosts such as SMTP servers only for port 25.
BRKSEC-1020 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Address Translation
• Network address translation (NAT) is the mapping of IP addresses from a private network to a public network
• NAT gives network administrators and security administrators:
• Access to non-publically routable IPv4 space
• Cost savings because addresses are not cheap
• Allows for masquerading of internal network addresses
• IPv4 Address space is exhausted
Packet
Src IP – 3.3.3.3
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80
Src IP – 10.1.1.1
Dest IP – 2.2.2.2
Src Port – TCP/35478
Dest Port – TCP/80
BRKSEC-1020 16
Use Cases
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #1
• Hospitality, Retail or other similar distributed deployment
• Remote sites 100+
• Direct Internet Access (DIA) at remote sites
• Company has a “Cloud First” mandate
• 4 Network / Security Engineers (“jack of all trades, master of none”)
• Basic security needs for URL filtering, DNS security, IPS
• Need VPN connectivity to HQ
BRKSEC-1020 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Networking Group
BRKSEC-1020 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MX64(W)
~50 users
802.11ac wireless
FW throughput: 250 Mbps
MX65(W)
~50 users
802.11ac wireless & PoE+
FW throughput: 250 Mbps
Mid-
sized
branch
MX84
~200 users
Dedicated WAN uplinks
FW throughput: 500 Mbps
MX100
~500 users
Gigabit uplinks
FW throughput: 750 Mbps
MX400
~2,000 users
Modular interface
FW throughput: 1 Gbps
Small
branch
MX600
~10,000 users
Modular interface
FW throughput: 1 Gbps
Large
branch
or campus
All devices support 3G/4G
Teleworker
Z1
1-5 users
Dual-radio wireless
FW throughput: 50 Mbps
Meraki MX OptionsReference
BRKSEC-1020 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki MX Security
Next Generation Firewall Application aware firewalling
Intrusion Prevention
(IPS)Based on Cisco Snort
URL Content FilteringWith over 80 categories and
over 4 billion categorized URLs
Geo-based security Allow or block traffic by country
Malware Protection Cisco AMP and Threat Grid
Automatic updatesSoftware and security updates
delivered from the cloud
PCI compliancePCI 3.2 certified cloud
management backend
BRKSEC-1020 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki MX Basics
BRKSEC-1020 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki MX Basics continued
BRKSEC-1020 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki MX Basics continued
BRKSEC-1020 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki Threat and Filtering
BRKSEC-1020 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Meraki Threat and Filtering continued
BRKSEC-1020
Cisco Umbrella
26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #2
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup/redundancy (IWAN)
• Simple filter to protect the new Internet link
• HQ has a proxy for Internet
BRKSEC-1020 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Securing the WAN
• Typical MPLS WAN
• Does not ensure privacy
• Best Practice – Consider encryption across existing WAN
BRKSEC-1020 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features and functionality
• Typically no need for inbound access directly from Internet
BRKSEC-1020 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Based Firewall
BRKSEC-1020 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zone Based Firewall
G0/1.103
G0/0G0/1.101
DMZ
InternetTrusted
TCP/UDP/ICMP
Response OK
All Traffic Permit
Support for:
• ISR, ASR, CSR
• NAT
• WAAS
• VRFs
• Redundancy
• VTIs for VPNs
• Deep Packet Inspection
BRKSEC-1020
Note: For simple inside to outside
configuration, remove all reference to
DMZ interface. This DMZ configuration
assumes a second security device to filter
traffic or terminate VPN.
31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring ZBFzone security Internet
zone security Trusted
zone security DMZ
interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
!
interface GigabitEthernet0/1.101
description Inside
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ
Create Zones
Assign interfaces to security zones
BRKSEC-1020
Note: For simple inside to outside
configuration, remove all reference to
DMZ interface. This DMZ configuration
assumes a second security device to filter
traffic or terminate VPN.
32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring ZBFclass-map type inspect match-any All_Protocols
description - Match all outgoing protocols
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect trusted-to-internet
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect DMZ
class class-default
pass
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect trusted-to-internet
zone-pair security Internet->DMZ source Internet destination DMZ
service-policy type inspect DMZ
zone-pair security DMZ->Internet source DMZ destination Internet
service-policy type inspect DMZ
Create Inspection Class
Create Inspection Policy
Create Zone Pairs and Associate Policy
BRKSEC-1020
Note: For simple inside to outside
configuration, remove all reference to
DMZ interface. This DMZ configuration
assumes a second security device to filter
traffic or terminate VPN.
33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #2 (Variant)
• Regional Services Company
• 8 sites on MPLS with ISR routers deployed
• Broadband Internet being added for DMVPN backup and DIA
• Simple Complete filter to protect the new Internet link
BRKSEC-1020
Firepower Virtual – VMware / KVM
34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet based WAN
• Lower cost alternative to MPLS
• Dictates VPN for routing and privacy
• Balance complexity with features and functionality
• Typically no need for inbound access directly from Internet
• Direct Internet Access (DIA) adds security risk
BRKSEC-1020 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #3
• Data Center upgrade
• Adding security to new design
• No L3 hop for security to reduce convergence time
• N+1 redundancy
• Multi 10 Gbps throughput
BRKSEC-1020 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
Data CenterA/S or Clustering for Performance and Scale
Firepower 9300 with SM-24, SM-36 or SM-44
Firepower 4110, 4120, 4140 or 4150
37
Firepower 2110, 2120, 2130*, 2140*
*10 Gig Interfaces
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
Data CenterSpecifications
Reference
38
*Note 2100 models do not support clustering.
Only 2130 and 2140 support 10 Gbpsinterfaces and optional network module.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKSEC-1020
Firepower 2100 Series
FPR 2110 16x 1G Port
FPR 2120 16x 1G Port
FPR 2140 12x 1G 12x 10G Port
High Performance, Purpose Built Hardware for Cisco NGFW
Available in 4 Platforms
Higher Port Density in 1 Rack Unit
10 Gbps Support (2130 and 2140)
Firepower
2100
Firepower
2100
Firepower
2100
FPR 2130 12x-1G 12x 10G Port
Firepower
2100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
Data CenterClustering for Performance and Scale
Handles asymmetric traffic associated with VPC/VSS
N+1 redundancy
Keeps DC design intact
Scale to 16 firewalls
40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
Data CenterACI Deployments
Automation Scale and Performance SecuritySimplicity OpenAgility and
Visibility
APIC
41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #4
• Cloud expansion / Cloud First
• AWS and/or Azure
• Need to replicate security / inspection policy for cloud traffic
BRKSEC-1020
Your Data Here
42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASAv and Threat Defense Virtual
Cisco® ASA 9 Feature Set / Threat Defense 6
Cisco
ASAv
FTDv
ASA
10 vNIC interfaces and VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)
management tools
Dynamic routing includes OSPF, EIGRP, and BGP
REST API for programmed configuration and monitoring
Cisco TrustSec® PEP with SGT-based ACLs
Failover Active/Standby HA model
FTDv
• 4 vNIC default
• 8 GB RAM, 4 vCPU
VMware, KVM, Hyper V (ASA only), AWS, Azure (features can differ
for cloud)
BRKSEC-1020 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
Cisco ASAv Platforms
100 Mbps
1 Gbps
2 Gbps
Cisco®
ASAv5
Cisco®
ASAv10
Cisco®
ASAv30
BRKSEC-1020 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASAv Platforms
10 GbpsCisco®
ASAv50
BRKSEC-1020 45
• Introduced with ASA release 9.8(1)
• Supported on KVM or ESXi
• Uses IXGBE-VF vNIC
• Does not support Transparent mode (promiscuous restriction on IXGBE-VF)
• Not supported in Amazon Web Services, Microsoft Azure or Hyper-V
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKSEC-1020
ASAv and/or NGFW
• Supported in both AWS and Azure
• *Note restrictions based on cloud deployment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKSEC-1020
Meraki Virtual MX for AWS (vMX100)
• Appears in the dashboard
• 500 Mbps VPN throughput
• Bring Your Own License (BYOL)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #5
• Typical Internet Edge designs
• Outbound Internet (Web, Email, FTP, etc)
• Inbound traffic to DMZ and/or eCommerce
• VPN for Remote Access, L2L, business partners
BRKSEC-1020 48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Edge With DMZ
• Similar to a basic edge design with the addition of inbound traffic
• Traffic inbound from the DMZ to the trusted network may or may not pass the firewall.
BRKSEC-1020 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Edge With DMZ - VPN
• Multiple path options for VPN with trusted and untrusted packets.
• VPN Concentrator may be connected outside the firewall
• Trusted traffic path usually depends on source. Employee or Vendor, B2B, etc.
*Best Practices – Remember that controlling access from a VPN to an internal resource is not a dead end! Jump box scenario.
Hide your firewall with private IP space on the outside.
BRKSEC-1020 50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tiered DMZs
• Typically seen in multi-tiered hosting for e-commerce
• Forces all traffic between tiers to pass firewall rules
• Can help mitigate risk and contain exploits and/or breaches within a DMZ
BRKSEC-1020 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bridge across your DMZs
• Sometimes referred to as clean and dirty DMZs
• VPN, Video, etc.
• Avoids hair-pinning
*Best Practice – Use destination NAT with a block of unused private IPs for outbound L2L VPN instead of routing individual remote IPs.
BRKSEC-1020 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Split Firewalls
• Layer 3 hop between firewalls
• Avoids hair-pinning within a firewall
• Simplifies policy
• May still have an optional trusted connection
BRKSEC-1020 53
Quick Hardware Snapshot
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKSEC-1020
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
FPR 4110
FPR 4120
FPR 4140
FPR 4150
ASA 5506-X
ASA 5508-X
ASA 5516-X
FPR 9300 -SM-24
FPR 9300 -SM-36
FPR 9300 -SM-44
FPR 2110
FPR 2120
FPR 2130
FPR 2140
Service Provider
EOS Aug 2017EOS Aug 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Latest Additions to the 5500 Portfolio5506X with Firepower Services
• Max 250 Mbps AVC throughput
• Max 125 Mbps AVC and NGIPS
• 90 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM and Firepower Management Center
• Available in hardened and wireless configurations
BRKSEC-1020
Reference
56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Latest Additions to the 5500 Portfolio5508X with FirePOWER Services
• Max 450 Mbps AVC throughput
• Max 250 Mbps AVC and NGIPS
• 180 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM, Firepower Management Center, On-box, CDO
BRKSEC-1020
Reference
57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Latest Additions to the 5500 Portfolio5516X with FirePOWER Services
• Max 850 Mbps AVC throughput
• Max 425 Mbps AVC and NGIPS
• 300 Mbps AVC or IPS with 440 byte HTTP
• ASDM 7.3.x or CSM, Firepower Management Center, On-box, CDO
BRKSEC-1020
Reference
58
Over, Through or Around The Wall
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Things Change
BRKSEC-1020 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61BRKSEC-1020
If you knew you were going to be
compromised, would you do
security differently?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The package
BRKSEC-1020
Reputation?
Sender Receiver
Content
(deep packet inspection)
Chicken Pox Virus
Vaccine
Tracking history
62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Threat-Centric Firewall
• Integrating defense layers helps organizations
get the best visibility
• Enable dynamic controls
to automatically adapt
• Protect against advanced threats
across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWER Services
BRKSEC-1020 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
Exploit Kits
Web App Attacks
CnC Connections
Admin Privilege Escalations
SI Events
Connections
to Known CnC IPs
Malware Events
Malware Detections
Office/PDF/Java Compromises
Malware Executions
Dropper Infections
BRKSEC-1020 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Visibility and Control
BRKSEC-1020 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS with Snort
BRKSEC-1020 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Profiles
• What OS?
• What Services?
• What Applications?
• What Vulnerabilities?
BRKSEC-1020 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact Assessment
Impact FlagAdministrator
ActionWhy
1 Act immediately,
vulnerable
Event corresponds
to vulnerability
mapped to host
2 Investigate,
potentially vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
3Good to know,
currently not
vulnerable
Relevant port not
open or protocol
not in use
4 Good to know,
unknown target
Monitored network,
but unknown host
0 Good to know,
unknown networkUnmonitored network
BRKSEC-1020 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Malware Analysis
BRKSEC-1020 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network File Trajectory – Where Has It Been Seen?
BRKSEC-1020 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL Inspection issues? - AMP for Endpoints
BRKSEC-1020 71
Firepower NGFW
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fully Integrated Threat Focused Unified Management
• FW / applications / IPS
• Cisco® AMP – network /
endpoint
• Analysis and remediation
• Cisco security solutions
• Application-aware DDoS
• Networkwide visibility
• Industry-best threat
protection
• Known and unknown threats
• Track / contain / recover
• Across attack continuum
• Manage, control, and
investigate
• Automatically prioritize
• Automatically protect
Introducing Cisco Firepower NGFW
BRKSEC-1020 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower 6.x on ASA – Upgrade vs Re-ImageChoose Firepower Services or Firepower Threat Defense
Firepower Software on ASA Platforms
Firepower
Services 5.4
ASA 9.5.x
Upgrade
Firepower
Services 6.0
ASA 9.5.x*
Re-Image
Firepower
Threat Defensevs
*Firepower Services 6.x compatible ASA Version Required
BRKSEC-1020 74
Firepower 9300 – ASA or TD
Firepower 4100 – ASA or TD
Firepower 2100 – TD Only
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower 6.x Virtual – Upgrade vs MigrateChoose NGIPSv + ASAv or Firepower Threat Defense
ASAv
Firepower
NGIPSv 6.0
Upgrade
Firepower
Threat Defense
Virtual 6.0
Migrate
Firepower
NGIPSv 5.4
ASAv
Upgrade
BRKSEC-1020 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
FXOSChassis Operating System
76
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
FXOSChassis Operating System - Continued
77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020
FXOSChassis Operating System - Continued
78
Advanced Use Cases
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA Policy Enforcement with MDM
AP
WLC
ASA
Web Server
ISE MDM
Leverage security groups to authorize endpoints based on MDM compliance.
Compliance check
SX
P
Create Security Groups on ISE
1 Compliant
2 Non-Compliant
Policy on ASA by Security Group
1
2
3
4
5
6
7
8
9
BRKSEC-1020
Security Group Query
80
TrustSec Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101BRKSEC-1020
TrustSec (WLC, ISE, ASA, Firepower)Reference
Correlation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Security Intelligence
• Correlate an action(s) with a remediation (in this case, create a custom security intelligence block list)
• In this example we are looking for blocking events based on geolocation and dropping the source IP into the custom security intelligence list.
• Monitor the events in Firepower Manager for a match against a rule.
• The remediation runs a perl script on the Firepower Manager, which leverages the remediation framework to parse event information.
103BRKSEC-1020
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113BRKSEC-1020
Custom Security Intelligence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114BRKSEC-1020
Custom Security Intelligence
Reference Material
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Support Tools
http://www.cisco.com/c/en/us/support/web/tools-catalog.html
BRKSEC-1020 116
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Threats and Notifications
http://www.cisco.com/security
Current News
Proactive Notifications
BRKSEC-1020 117
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
www.talosintel.com
BRKSEC-1020 118
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119BRKSEC-1020
SAFE Architecture
www.cisco.com/go/safe
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-1020 121
Thank you
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
Understanding Cisco Cybersecurity
Fundamentals (SFUND)
The SECFND course provides understanding of
cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
CCNA® Cyber Ops
Implementing Cisco Cybersecurity
Operations (SECOPS)
This course prepares candidates to begin a career within a
Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
CCNA® Cyber Ops
Securing Cisco Networks with Threat
Detection and Analysis (SCYBER)
Designed for security analysts who work in a Security
Operations Center, the course covers essential areas of
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Cybersecurity
Specialist
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKSEC-1020 124
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security
Solutions (SENSS)
Implementing Cisco Threat Control
Solutions (SITCS) v1.5
Implementing Cisco Secure Access
Solutions (SISAS)
Implementing Cisco Secure Mobility
Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco
Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure
network access
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security
(IINS 3.0)
Focuses on the design, implementation, and monitoring of a
comprehensive security policy, using Cisco IOS security features
CCNA® Security
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKSEC-1020 125