45
Milan Habrcetl, Cisco Cybersecurity Specialist For SMB (but not only) Cisco Next Generation Firewall 3.6.2020
Milan Habrcetl, Cisco Cybersecurity Specialist
For SMB (but not only)
Cisco Next Generation Firewall
3.6.2020
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Traditional network security
Internal traffic was considered inherently trustworthy, and external traffic was inherently untrustworthy
Public internet
Network edge
Data center
Firewall
One control point for all traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
The new realityA one-size-fits all approach has proved ineffective in today’s landscape.
Policy sprawl
Harmonizing policies across micro-perimeters is challenging
Single control point is not adequate
Every environment needs its own micro-perimeter
Evolving form factor
Singe control point replaced by multiple firewalls, both physical and virtual
Management complexity
NetSec and IT use dozens of point products, each with its own
management console
Evolving threat landscape
Security products need a continuous feed of threat
intelligence to stay ahead of attackers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firewall Validated Use Cases
Branch
RA VPN
Cloud/Virtual
Data Center
NGIPS
Internet Edge
Where Ciscocan help
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Why Cisco NGFW?
Integrated security portfolio
Extend network security beyond the firewall with
malware protection, identity-based routing, multi-factor authentication, and more.
World-classsecurity controls
Protect your workloads with a complete portfolio of NGFW
solutions, backed by industry-leading threat intelligence.
Consistent policyand visibility
Streamline security policy and device management across your extended network and accelerate key security
operations.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Cisco’s Comprehensive Security Portfolio
Integrated security portfolioWorld-classsecurity controls
Consistent policiesand visibility
Duo Multi-Factor Authentication
Identity Services Engine (ISE)
AMP for Endpoints
Firepower Management Center (FMC)
Firepower Device Manager (FDM)
Cisco Threat Response (CTR)
Application Centric Infrastructure
Cisco Defense Orchestrator (CDO)
Rapid Threat Containment
TrustSec
Firepower Threat Defense (FTD)
Multi-Instance
ASA
Clustering
Firepower Platforms
Talos
Stealthwatch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firepower Platforms
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firepower Portfolio
ASA 5508/16
NEW
FPR 4115/25/45
NEW
FPR 1010
NEW
FPR 1120/40
FPR 2110/20/30/40
FPR 9300 SeriesSM-40SM-48SM-56
NEW
ASA 5525/45/55
FPR 4110/20/40/50SM-24SM-36SM-44
650 Mbps AVC650 Mbps AVC+IPS
1.5-2.2 Gbps AVC1.5-2.2 Gbps AVC+IPS
2-8.5 Gbps AVC2-8.5 Gbps AVC+IPS
Stand-alone device:12-53 Gbps AVC10-47 Gbps AVC+IPS 6
Six node cluster:Up to 254 Gbps AVCUp to 226 Gbps AVC+IPS
One Module:30-70 Gbps AVC24-64 Gbps AVC+IPS
Six node (2 chassis) cluster:Up to 336 Gbps AVCUp to 307 Gbps AVC+IPS
SOHO/SMB
BranchOffice
Mid-Size Enterprise
Large Enterprise
Data Center
Service Provider
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
4 Core
• 1.2 Gbps AVC
• 1.1 Gbps AVC+IPS
8 Core
• 2.4 Gbps AVC
• 2.2 Gbps AVC+IPS
12 Core
• 3.6 Gbps AVC
• 3.3 Gbps AVC+IPS
Firepower NGFW: FTD Virtual Platforms
Private Cloud
• 1.2 Gbps AVC
• 1.1 Gbps AVC+IPSc
AWS Instance types
• c3.xlarge
• c4.xlarge
• c5.xlarge
Azure Instance types
• Standard D3
• D3v2
Public Cloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
NGFW Hardware 2019 UpdateAs the threat landscape evolves, our NGFW portfolio does too. Gain more features and better performance at the same or lower price point.
Better performance
• Up to 3.5x boost in NGFW throughput
• Up to 5x boost in VPN throughput
More connections
• Up to 2x more connections per second (CPS)
Improved encrypted traffic throughput
• Up to 3x boost in encrypted traffic performance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
NEW: Firepower 1000 SeriesSmall business and branch office security with superior price / performance
NEW
*POE and L2 support expected 2H CY2019
NEW
Firepower 1010
• High–performance desktop NGFW
• PoE, 8 10/100/1000 Base-T RJ45 switching ports*
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
650Mbps NGFW throughput
Firepower 1120/40
• High–performance Rackmount NGFW
• 8 10/100/1000Base-T RJ45 switching ports, 4 1000Base-F SFP switching ports
• Stateful firewall, AVC, NGIPS, AMP, URL filtering
1120-1.5Gbps NGFW Throughput1140-2.2Gbps NGFW Throughput
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
NEW: Firepower 1000 SeriesSmall business and branch office security with superior price / performance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Data center and service provider security without compromise
New: Firepower 4100 Series
• Up to 50% performance improvement over previous models
• Up to 44% higher TLS performance!
• Supported software releases:
• FTD 6.4 – including multi-instance
• ASA 9.12.1
• FXOS 2.6.1
Enterprise and data center security with exceptional price/performance
3 new appliance models:4115, 4125, 4145
up to 47 Gbps NGFW throughput*
NEW
*1024B FW+AVC+IPS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Data center and service provider security without compromise
3 new 9300 SM models:SM-40, SM-48, SM-56
up to 153 Gbps NGFW throughput*
NEW
*1024B FW+AVC+IPS
New: Firepower 9300 Service Modules
• Up to 80% performance boost than previous generation SM
• Up to 33% higher TLS performance!
• Supported software releases:
• FTD 6.4 – including multi-instance
• ASA 9.12.1
• FXOS 2.6.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firepower NGFW: ISA3000 Provides FTD to Manufacturing
Maximum Firewall Throughput 2 Gbps
Ideal for industrial environments
• Hardened design
• DC power supply
• DIN rail
Two models of ISA 3000
• 2 x Copper + 2 x Fiber data interfaces
• 4 x Copper data interfaces
Industrial features include
• Alarm port: 2 x alarm input, 1 x alarm output
• SD card auto backup/restore
• Hardware bypass for transparent mode firewall
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firepower NGFW: Cisco Cloud Services Platform (CSP)
Open Network Functions Virtualization (NFV) platform based on KVM
Provides alternative deployment options for FTDExamples• Deploy FMC, FTD and ASA on a single CSP-5228
• Deploy 13 FTDs on a single CSP-5456
Managed with orchestration or as standalone network platform• Cisco Secure Agile Exchange (SAE)
• Network Services Orchestrator (NSO)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firepower Threat Defense (FTD)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
What is Firepower Threat Defense (FTD)?Delivers nearly 100% efficacy on blocking malicious flows and guards the network against threats.
Key Benefits Features
Tenant management separation NGIPS
Scale as you grow Integrated TLS Decryption
Impact analysis Site-to-site VPN
Prioritize administration Cisco Threat Intelligence Director
Continuous Analysis with Retrospection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Firewall Policy Powered by Talos & OpenApp ID
Security Intelligence:Block latest malicious IPs, URLs and FQDNs
AVC with OpenAppID:Identify and control over4,000+ pre-defined apps
AVC with OpenAppID:Easily create customapplication detectors
URL Categories:Classify 280M+ URLsusing 80+ categories
Category-basedPolicy Creation
Admin
Allow Block
DNS Sinkhole
01001010100
00100101101
Security feeds
URL | IP | DNS
Control traffic based on IP, URL, FQDN, or application
NGFW
Allow BlockWarn
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Powered by Snort – best of breed, open source IPS
NGIPS brings the power of context to IPS
Next Generation IPS (NGIPS)
Impact of IPS events can be deduced.
Reduce the noise/volume of events and prioritize administration
Firepower recommendation can tune IPS.
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act immediately, Vulnerable
Investigate, Potentially Vulnerable
Good to know, Currently Not available
Good to know,Unknown Target
Good to know,Unknown Network
Event Corresponds to vulnerability mapped to
host
Relevant port open or protocol in use but no
vuln mapped
Relevant port not open or protocol not in use
Monitored network but unknown host
Unmonitored network
2
3
4
0
1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act immediately, Vulnerable
Investigate, Potentially Vulnerable
Good to know, Currently Not available
Good to know,Unknown Target
Good to know,Unknown Network
Event Corresponds to vulnerability mapped to
host
Relevant port open or protocol in use but no
vuln mapped
Relevant port not open or protocol not in use
Monitored network but unknown host
Unmonitored network
2
3
4
0
1
Correlate Host Profile & IPS Drive Impact Analysis and Rule Recommendations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Malware Events
Indications of Compromise (IoCs) Events
IPS Events Security Intelligence Events
CnC ConnectionsConnections to known CnC IPs: DNS Servers,
Suspect URLsMalware Detections Malware ExecutionsMalware Backdoors
Admin Privilege Escalations
Office/PDF/Java Compromises
Dropper InfectionsExploits Kits
Web App Attacks
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
IoCs Facilitate Remediation
Hosts by Indication
Impact 2
intrus…dmin
Impact 2
intrus…user
Impact 2
intrus…tackImpact 1
intrus…dmin
Impact 1
intrus…user
Impact 1
intrus…tack
Threat
Detected…sfer
Facilitate understanding and remediation to reduce impact
• Identifies compromised and potentially compromised systems
• Take automatic action through Cisco Rapid Threat Containment
Indications of Compromise
0
2,5
5
7,5
10
.11
2.1
.51
10
.0.1
.16
6
10
.0.1
.25
2
10
.12
0.1
.86
10
.11
2.1
.2
10.1
12
.81
.12
8
10
.11
0.1
.10
6
192
.16
8.2
24
.1
192.1
68
.10
.16
8
10
.11
0.1
0.1
2
10
.11
2.0
.13
1
10
.12
1.1
.25
1
10.1
12
.10
.10
1
10
.12
0.1
0.7
5
10
.11
2.1
.3
Indications by Host
Indic
ations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Integrated TLS Decryption
Decrypt traffic inhardware or software
Inspect deciphered packets Track and log all TLS sessions
Finds encrypted threat while reducing performance impact
• TLS hardware acceleration delivers high-performance inspection of encrypted traffic
• Centralized enforcement of TLS certificate policies
• Examples: Blocking self-signed encrypted traffic, specified TLS version, cypher suites
Encrypted Traffic Log
TLS decryption engine
NGIPSEnforcement
decisionsAVC
elicit
gambling
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$&^*#$@#$.com
https://www.%$&^*#$@#$.com
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Site-to-Site VPNEasily and securely interconnect remote sites
• IKEv1/IKEv2 policy-based VPN
• Easy topology-based management of VPN on multiple peers
• Point-to-point
• Hub and Spoke
• Full Mesh
• Flexible authentication options – pre-shared key (automatic) and certificates
Point-to-Point Hub and Spoke Full Mesh
FTD
FTD
FTD
FTD
Router
Third PartyDevice
or
orHub
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Cisco ThreatIntelligence Director
Cisco Threat Intelligence Director (CTID)
FMC ingests third-partyCyber Threat Intelligence (CTI)
FMC publishesobservables to FTD
FMC detects incidents FTD reports observables
FTD
Support of open integration
FMC
FTD
MonitorBlock
Extend Talos Security Intelligence with 3rd party cyber threat intelligence
Parse and operationalize simple and complex threat indicators
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Talos is the threat intelligence group at Cisco. We are here to fight the good fight —
we work to keep our customers, and users at large, safe from malicious actors.
Engineering& Development
Global Outreach
Community
Vulnerability Research & Discovery
Detection Research
Threat Intelligence & Interdiction
What is Talos?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
From Unknown to Understood
ProductTelemetry
Endpoint Detection & Response
Mobile Security
Multi-factor authentication
Network
Endpoint
Cloud
DataSharing
VulnerabilityDiscovery
Threat Traps
Firewall
Intrusion Prevention
Web Security
SD Segmentation
Behavioral Analytics
Security Internet Gateway
DNS Security
Email Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Management platforms
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Management Designed for the User
For easy on-box management of single FTD or pair of FTDs
running in HA
For centralized cloud-based policy management of multiple
deployments*For FTD release 6.4 or higher
Helps administrators enforce consistent access policies, rapidly troubleshoot security events, and
view summarized reports across the deployment
Cisco Firepower Device Manager
(FDM)
Cisco Defense Orchestrator
(CDO)
Cisco Firepower Management Center
(FMC)
On premise Centralized ManagerSecOps Focused
On-box managerNetOps Focused
Cloud Based Centralized ManagerNetOps Focused
Coexist
Flexibility of cloud or on-premises options
Common APIsSecurity Integrations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Management Platforms: When to Position?
Use case Managers of choice Details
Internet edge CDO or FMCCDO for ease of use and netops usersFMC for advanced security analyticsAsk your customer about their priority
Enterprise branch CDOFTDs can connect to CDO directly through the data interfaceOnboarding is low-touch
SMB CDO or FDMFDM or CDO provide greater usabilityCDO is recommended for more than one firewall
Data center Edge / Core FMC FMC supports 4100 and 9300, clustering, TrustSec
Campus fabric FMC FMC supports 4100 and 9300, clustering, TrustSec
NGFWv running in public cloud
FMC FMC supports NGFWv in AWS and Azure
IPS only FMCFMC supports all the advanced IPS features, and provides a separate interface from the Firewall
Cisco Threat Response (CTR)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
What is Cisco Threat Response (CTR)?Automates integrations across networks, endpoints, and cloud environments
Key Benefits Features
Out of box integrations Aggregated threat intelligence
Sped cyber investigations Automated enrichment
Included with Cisco security product licenses
Incident tracking
Reduce burden of other security products
Seamless drill down
Direct remediation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Investigate Any Item: Endpoint
BRKSEC-243336
Reduce complexity and time needed for threat hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Leverage a Seamless Workflow
• Limited data is stored in cloud
• FMC can send IPS events to CTR
• Any IP, domain, file hash or IoC seen in FMC can queried in CTR, reducing complexity and time for threat hunting
• Continuous analysis with retrospection facilitates remediation and enhances forensics
FTD supplies security events to CTR
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Integrated Security Portfolio
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Remote Access VPN with DUOProvide ubiquitous secure access from remote and roaming users
• Posture assessment
• Uses TLS, DTLS or IKEv2
• Easy wizard-based configuration
• Integration with LDAP and RADIUS
• Identity based security policies
• Enhanced security with 2 FA/MFA provided by Duo
Extend access remotely Protect important dataMaintain application
performanceSupport multiple sites
AnyConnectRA VPN Client
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Protect Your Network Using AMP
File Fingerprint and Metadata
Process Information
File and Network I/O
Breadth and Control points
Telemetry Stream
Talos + Threat Grid Intelligence
Understand the motion and behavior of files
Web Endpoints NetworkEmail DevicesIPS
Threat Hunting
File Trajectory
BehavioralIoCs
Retrospective Detection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Application-Centric Infrastructure
• Link security to software defined networking
• Create identity-based policy with Application Policy Infrastructure Controller (APIC)
• Segment physical and virtual endpoints based on group policies with detailed and flexible segmentation
Transparent policy-based security for both physical and virtual environments
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Control Traffic Based on User Identity
• Active Directory users and groups can be used in policy configuration
• Cisco Identity Services Engine (ISE) can be used to provide identity
• TrustSec Security Group Tag (SGT)• Device type (endpoint profiles) and
location• Examples
• Block HR users from using personal iPads
• Create rules for quarantined iPhones
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Scalable and agile segmentation technology in over 40 different Cisco product families
Enables dynamic, role-based policy enforcement anywhere on your network
Employee Info HTTPFinancial ServerDeveloper Server
Guestendpoint
Simplify Security Management with TrustSec
Consistent Policy Anywhere
SGACLs
Simplified Access Management
Enterprise Network
Employeeendpoint
Developerendpoint
NonCompliantendpoint
Leverage the network and investment
Consistent Policy Anywhere
Control all network segments centrally, regardless of whether
devices are wired, wireless or on VPN
Rapid Security Administration
Speed-up adds, moves, and changes, simplifying firewall administration to
speed up server onboarding
Simplified Access Management
Manage policies using plain language and maintain compliance by regulating
access based on business role
Key
Employee Tag
Developer Tag
Voice Tag
Non-Compliant Tag
Employee Info Tag
Developer Server Tag
Financial Server Tag
HTTP Tag
AcceleratedSecurity Options
Deny Employee to Financial Server
Permit Developer to Developer Server
Permit Guest to Web
Permit Developer to Developer Server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Cisco Rapid Threat Containment
Open Remediation
API
3rd Party Devices
Tetration
Routers
Firewalls
ACI
ISE
FMC
Authorization
EMPLOYEES
172.20.100.3• Automatic network
threat containment using the network as an enforcer
• Threat-centric network access determines network access based on IoCs
• Richer visibility from bidirectional data sharing with the ISE
Proven approach to reduce time and impact of threat
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
Ready to get started? Upgrade your NGFW today!
Sign up for a free trial:FMC Trial
CDO Trial
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner
