28
Deep Dive Lab on Cisco Firepower NGFW and ASA Integration in ACI
Goran Saradzic – Security TME ManagerMinako Higuchi – ACI TME
LTRSEC-3001
• Introduction with Demo
• Labs:
1. Connect and run scripts to build-out your Tenant with security services
2. Enable Dynamic update to EPG feature on out-to-web contract
3. Apply malware protection to FTDv service graph on app-to-db contract
4. Run Rapid Threat Containment with APIC Firepower remediation package
5. Study the mechanics and benefits of the ASA PBR service graph
• Conclusion
Agenda
SECURITY
ASAv NGIPSv
FTDv
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Security and Threat Defense in ACI
ASA5585-X
ASA5500-X
Divert to SFR
FirePOWERvFirePOWER
8000/7000ASAv30
ASAv10
ASAv5
Firepower
Management
Console
(FMC)
FPR9300
FPR4100
Run ASA app
ASA Device Package FTD & NGIPS Device Package*
Platforms:
Firepower 9300 – 10/40/100G
Firepower 4100 – 1/10/40G
ASA5585-X – 1/10G
ASA5500-X – 1G
FirePOWER7000 – 1G
FirePOWER8000 – 1/10/40GASA5500-X
FPR4100
FPR9300
Run FTD app
* BetaLTRSEC-3001 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmatic Approach with Security
Stand up defenses at the same time as applications
APIC Security Device Packages.
Cisco Security Device Packages
Automate security policy updates with tighter integration
between security appliances and APIC.
Dynamic EPG updates to Rules/ACLs
Embrace a dynamic workload quarantine with
programmable policy enforcement.
Cisco FMC Remediation Package for APIC
LTRSEC-3001 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Profile Before and After Orchestration
rebuild-mypod.bash
contracts:
out-to-web (ASA)
web-to-app (ASA)
app-to-db (FTD)
LTRSEC-3001 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outside Network
External VRF
vrf(pod#)netInternal VRF – pod(pod#)net
DB EPGApp EPGWeb EPG
LTRSEC-3001 - ASA and Firepower NGFW in ACI
Web host App host DB host
ASAv5
outside
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
Outside host
ASA Cluster
IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103
10.3.0.110.2.0.1
10.40.0.10
10.40.0.1
10.50.0.10
10.50.0.1
10.60.0.1
10.60.0.10
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
web-to-appSrc: 10.1.0.101Dst: 10.1.p#.102
app-to-dbSrc: 10.1.0.102Dst: 10.2.#.103
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
ASA5525 Dynamic EPG
PBR GoTo L3FW
RoutedL3FW Context
One-Arm Mode
ASA Failover
BD1 (web) BD2 (db)
10.1.0.1
10.3.0.2
FTDv
CL17 Berlin
10.70.0.1
L3out2
L3out3
L3out1 BD3
pbr-bd
SVI/Subnet 10.1.0.2/24
Click to RDPto Jumpbox
FMCService Manager
Hybrid Model
LTRSEC-3001 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Service Graph Options by Division of Labor
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
Interfaces, VLANs, IPs, Static
or Dynamic Routes
Threat Defense Policies
NGIPS, AMP
ACLs, Inspections, HA
Security team configures via FMC
Unmanaged
APIC Configures Service Graph in the ACI Fabric
Interfaces, VLANs, FW L2/L3,
Inline IPS, Security Zones
Threat Defense Policies
NGIPS, AMP
Access Control, URL filtering,
Geolocation features, etc.
APIC configures via FMC on NGIPS(v)Via Firepower Device Package
Hybrid – Device Manager
Security team configures via FMC
NGFW (FTD) or ASA Firepower NGIPS/NGFW
Interfaces, VLANs, IPs, Static
or Dynamic Routes
ASA Embedded FirePOWER
Services - Threat Polices
ACLs, Inspections, HA,
Special Features
APIC Configures on ASAvia ASA Device Package
Managed
Security team configures via FMC
ASA with FirePOWER Services
LTRSEC-3001 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Device Package for ACI
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
Interfaces, VLANs, BVIs,
Inline Pairs (Cross-connects)
Threat Defense Policies
Access Control, URL filtering,
Geolocation features, etc.
APIC configures via FMC on NGFW(v)Via FTD Device Package
Hybrid – Device Manager
Security team configures via FMC
Firepower NGFW 6.2 Code
In Beta to Release Q2CY17
APIC configures in FMC:• Interfaces and VLANs
• Routed, Transparent FW, NGIPS
• Create Security Zone
• Create/Update Policy & Rule
Security Team update FMC:• Network Access Policy
• NGIPS, File, Geo-location
• Other items beyond APIC cfg
SECURITY
Device ManagerDevice Manager
LTRSEC-3001 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
LTRSEC-3001 Physical Gear
Nexus9396PX - Leaf Nexus9396PX - Leaf
Nexus9336PQ - Spine
4x ASA5525 ASA+SFR
2x FirePOWER7010
40G 40G
4x1G
4x1G
4x1G
4x1G
10G10G
2x UCS C220 M4L
10G10G
LTRSEC-3001 10
Contract Diagrams
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outside Network
External VRF
vrf(pod#)netInternal VRF – pod(pod#)net
App EPGWeb EPG
Contract out-to-web and ASA GoTo Service Graph
Web host App host
ASAv5
outside
ASA5525 Cluster
Routed L3FW Context
Dynamic Routing to vPC
GoTo Non-PBR
Outside host
ASA Cluster
IP 10.1.0.101/16 IP 10.1.pod#.102/16
10.40.0.10
10.40.0.1
10.50.0.10
10.50.0.1
10.60.0.1
10.60.0.10
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
BD1 (web)
CL17 Berlin
SVI/Subnet 10.1.0.2/2410.70.0.1
L3out2
L3out3
L3out1
LTRSEC-3001 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attachment Notification on Service Graph TerminalsP2-ASA5525-1/pod37# show object-group
object-group network __$EPG$_pod37-wan-out-out-l3out3
network-object 10.70.0.0 255.255.255.0
object-group network __$EPG$_pod37-aprof-app
network-object host 10.1.37.102
object-group network __$EPG$_pod37-aprof-web
network-object host 10.1.0.101
Outside Network App EPGWeb EPG
Web hostOutside host
IP 10.1.0.101/16
out-to-web contractSource: 10.70.0.101Destination: 10.1.0.10110.70.0.101
10.70.0.1
App host
IP 10.1.37.102/16
BD1 (web)
SVI/Subnet 10.1.0.2/24
LTRSEC-3001 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Update to EPG Object-Group
webConsumer
appProvider
ACE
192.168.10.200192.168.20.200
Object-group
192.168.10.101
New
192.168.10.102
New
object-group network __$EPG$_pod37-aprof-app
network-object host 192.168.10.101
network-object host 192.168.10.102
access-list access-list-inbound extended permit tcp any object-group __$EPG$_pod37-aprof-app eq www
2: APIC create object-group for the EPG.
1: Enable “Attachment Notification”
on function connector internal.
3: APIC add new endpoints to object-group
(192.168.10.101, 192.168.102)
APIC dynamically detects new endpoint,
ASA subscribes to attach/detach event,
and ASA device package automatically
adds EPs to object-group
ASA Device Package
LTRSEC-3001 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG Segmentation with Dynamic Update
One Flat BD2 Subnet 10.1.0.0/16EPG
IP1
EPG
IP2
EPG
IP3
EPG
IP12
EPG
IP11
EPG
IP10
ASA Device Package
EPG
DB
BD1 10.2.1.0/24
Builds up ACEs on ASA
Deny Deny
ASA Shared BD2Service graph allows APIC to insert new EPs:
object-group network __$EPG$_pod10-aprof-web
network-object host 10.1.0.11
network-object host 10.1.0.2
access-list acl1 extended permit tcp
object-group __$EPG$__pod10-aprof-web 10.2.1.0
255.255.255.255 eq sqlnet
APIC dynamically detects new endpoints,
that come up in the Red EPGs, and based
on ASA attach notification to EPGs in Red,
new EP IPs are inserted into an object-group,
permitting newly attached Red EPs via
DHCP to access BD1 DB EPG.
Deny Deny
LTRSEC-3001 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal VRF – pod(pod#)net
App EPGWeb EPG
Contract web-to-app and ASA PBR GoTo Graph
Web host App host
IP 10.1.0.101/16 IP 10.1.p#.102/16
10.3.0.1
web-to-appSrc: 10.1.0.101Dst: 10.1.p#.102
ASA5525 Dynamic EPG
PBR GoTo L3FW
RoutedL3FW Context
One-Arm Mode
ASA Failover
BD1 (web)
10.3.0.2
CL17 Berlin
BD3
pbr-bd
SVI/Subnet 10.1.0.2/24
LTRSEC-3001 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
PBR Service Graph to a Single Interface L3FW ASA
Protected
Servers
EPG APP
N9k SVIs
BD_pbr
10.3.0.2
DHCP: 10.1.0.100 – 10.1.0.140
ASA(v)
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
BD1
EPG DB
Fabric directs traffic in and
out of the same interface,
using managed ASA. Must
enable this ASA feature:
same-security intra-interface
We can script a custom MAC
on ASA(v) and set that MAC
on the PBR redirect.
PBR Service Graph
redirects traffic between
two EPGs within the same
Bridge Domain (subnet).
Select type of traffic to
redirect, verses what
protocols not to redirect.
APIC 2.0
http
ssh (file copy)
One-arm Graph
Managed
LTRSEC-3001 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internal VRF – pod(pod#)net
DB EPGApp EPG
Contract app-to-db and FTDv GoTo Service Graph
Web host App host DB host
IP 10.1.0.101/16 IP 10.1.pod#.102/16 IP 10.2.0.103
10.2.0.1
app-to-dbSrc: 10.1.0.102Dst: 10.2.0.103
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
BD1 (web) BD2 (db)
10.1.0.1
FTDv
CL17 Berlin
SVI/Subnet 10.1.0.2/24
FMCService Manager
Hybrid Model
Web EPG
LTRSEC-3001 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Device Package* in ACI
GoTo (Routed L3FW)
GoThrough (Transp. L2FW,
Inline NGIPS)
FMC manages FTDv Policy
APIC uses FMC APIs to
define interfaces, VLAN,
IPs, BVIs, Inline pairs, etc.
APIC tell vCenter to
connect graph vNICs
FTDv Managed Service Graph – vNIC Pairs
vNIC2 vNIC3
Vlan 100 Vlan 200
Vlan 304 Vlan 305
app db
consumer
SG portgroupprovider
SG portgroup
FTDv on VMware
vCenter
FTDvFMC Security Zones are defined
by APIC and inserted in ACP
rules which can be configured by
security admin to carry
appropriate traffic controls and
inspections (i.e. AMP) .
* Beta – Lab also includes unmanaged FTDv graphLTRSEC-3001 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC
DB EPG
ACI Fabric
App EPG
Infected App1
Step 4: APIC Quarantines infected App1
workload into an isolated uSeg EPG
Step 1: Infected End Point launches an attack
that NGFW(v), FirePOWER Services in ASA,
or FirePOWER appliance blocks the attack
Step 2: Event is generated to FMC about an attack
blocked from infected host
Step 3: Attack event is configured to trigger
remediation module for APIC and quarantine
infected host using APIC NB API
1
FMC
App2
2
34
See demo on http://cs.co/rtc-with-apicLTRSEC-3001 20
Access Your Pod – Use Firefox
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Log into Lab Portal
http://cs.co/mylab
Using Class Name, you will
log in first to add your profile
information, and then log
back in, to access PODs.
Prep
Class Name:
gorans_v22995
22LTRSEC-3001
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pick a Free Pod – Has No Mapped Student
Prep
Pick a Free
POD
LTRSEC-3001 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access your POD
Prep
Access your
assigned POD
LTRSEC-3001 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
US Keyboard Layout in RDP
LTRSEC-3001 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
<shown in portal>
Lab Portal DiagramOpen RDP Session
Prep
Left click on RDP
jumpbox icon to
reveal and click on
‘RDP Client’ menu
Open you instructions PDF
http://cs.co/acisec-lab-guide
Class Name:
gorans_v22995
Jumpbox Credentials are
shown in your Topology tab
under the jumpbox link.
SEC-ACI-10 means POD10
Remember you POD Number
LTRSEC-3001 26
Thank You
