Threat focused ngfw navy tech day

Dan Reed – Security Consulting Systems [email protected]

March 2016

Cisco Threat-Focused Next Generation Firewall

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Typical Firewall Features

• Application Visibility & Control

• Integrated Network IPS

• Extra Firewall Intelligence

What is a NGFW?


Focus on the Apps…

100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011

01000 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110 1001 1101 11

The Problem with Legacy Next-Generation Firewalls

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

01000 01000111 0100 1110101001 1101 111 0011 101001 110011

100 0111100 011 1010011101 1 100 0111100 011 101001111 01

000 01000111 0100 111001 1001 11 111 0 01000 01000 111010

…But Miss the Threat


Attack Continuum

GAP

They protect before an attack but are less effective during or after one

Enable applications

Typical NGFW

BEFORE AFTERDURING

Silos

DDoS SandboxURLIPS Incident Response


Stop more threats across the entire attack continuum

Remediate breaches and prevent future attacks

Detect, block, and defend against attacks

Discover threats and enforcesecurity policies

Cisco Firepower™ NGFW

BEFORE AFTERDURING


“You can’t protect what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command and control

servers

Network servers

Users

File transfers

Web applications

Applicationprotocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW


Cisco Firepower™ Management Center

Reduce complexity with simplified, consistent management

• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools

Unified

• Central, role-based management• Multitenancy• Policy inheritance

Scalable

• Impact assessment• Rule recommendations• Remediation APIs

Automated


Cisco: 17.5 hoursIndustry TTD rate:* 100 days

Detect infections earlier and act faster• Automated attack

correlation

• Indications of compromise

• Local or cloud sandboxing

• Malware infection tracking

• Two-click containment

• Malware analysis

Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)

JANMONDAY

1JAN

FEB

MAR

APR


Security Services


Services

AMP

Stateful Firewalling

AVC

URLFiltering

NGIPS

VPNCapabilities

Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions

Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE

FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility

Advanced Malware Protection

Next-Generation Intrusion Prevention System

URL FilteringApplicationVisibility and Control

Add security services to help defend your network

Included by default

Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions

Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE

FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility


Next-Generation Intrusion Prevention System

URL FilteringApplicationVisibility and Control


Minimize your exposure to web-based threats

Restrict categories of URLs

Filter out over 280 million URLs based on any of the 80+ categories into which they are grouped; new URLs are added daily

Block specific URLs

Restrict access to specific sitesand subsites

bad_url.com

office365.com

Social MediaGambling

Health

Drug UseGaming

Change policies easily

Use the refined user interface to make additions or changes with just a few clicks

Allowed Restricted

Services

AMP


VPNCapabilities

AVC

URLFiltering

NGIPS


Protect the network more effectively

Reduce IT management burden

Gain unmatched visibility and threat detection

NGIPS automatically correlates information from intrusion events with network assets to prioritize threat investigation

Priority 1

Priority 2

Priority 3

Blended threats and attacks coming through multiple vectors are quickly identified

www…

Policies can be updated automatically based on vulnerabilities and previous intrusion events

Admins can make adjustments to policies and system settings across locations from a single location, even offsite

ServicesURLFiltering

NGIPS

AMP


AVC

VPNCapabilities


Protect against the most advanced forms of malware and remediate after a breach

Identify malware that other solutions miss by analyzing files based on reputation or suspicious behavior. AMP is continuously updated to ensure that it can stop the latest and most advanced forms of malware.

Point-in-time Protection

Defend against attacks even after a file passes the perimeter. AMP tracks files as they move around network; if they turn out to be malicious, you can quickly determine areas of impact and remediate quickly.

Continuous Protection

Trajectory

BehavioralIndications

of Compromise Breach

Hunting RetrospectionAttack Chain

Weaving


NGIPS

AMP


AVC

VPNCapabilities

Fuzzy Finger-printing

Machine

Learning

Dynamic Analysis

Indications of Compromise

Device Flow Correlation

Advanced Analytics

One-to-OneSignature


Reduce attack surfaces by controlling application access

Control port- and protocol-hopping apps that evade traditional firewalls

Limit the exposure created by socialmedia applications


NGIPS

AMP


AVC

VPNCapabilities

Enforce acceptable use policies with granular control over applications and micro-applications

Apps

Use custom application detectors /Open App ID


Leverage the proven ASA Firewall capabilities

Standard Functions New ASA Features

• Clientless tagging, WebVPN support for OWA2013 and XenDesktop7.5

• TLS 1.2

• ECMP Support, IPV6 BGP

• Std. based IKEv2 support. Citrix HTML5 browser support

• VPN Clients Win7, 8.1, 8.1 phone client, iOS8, Knox and Strong Swan

• Full VX LAN support

• Policy-based Routing

• REST API and SNMP enhancement

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

Routing


NGIPS

AMP


AVC

VPNCapabilities


Extend protection to off-site users

ThreatProtection Data-loss

Prevention AcceptableUse Access

Control

Diverse Endpoint Support Broad VPN Deployment Split Tunneling Capabilities

Mobile and non-mobile devices

Cisco and non-Cisco devices

AnyConnect 4.0 and 3rd-party VPNs

Single- and Multi-site deployments

Corporate and sensitive information

Personal and generic information


NGIPS

AMP


AVC

VPNCapabilities


FireSIGHT


ThreatsUsers

Web ApplicationsApplication Protocols

File TransfersMalware

Command & Control

Operating Systems

Client Applications

Network Servers

Mobile Devices

Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense


Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network, but unknown host

Good to Know, Unknown Network

Unmonitored network


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors CnC Connections

Exploit Kits Admin Privilege Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises Dropper Infections


Firepower Management CenterSingle console for event, policy, and configuration management


Awareness Delivers Insight

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have, when?


Platforms


Perf

orm

ance

and

Sca

labi

lity

ASA 5506-X

ASA 5508-X

ASA 5525-XASA 5545-X

ASA 5555-X

ASA 5585-SSP10

ASA 5585-SSP20

ASA 5585-SSP40

ASA 5506W-XASA 5516-X

SMB & Distributed Enterprise Commercial & Enterprise Data Center, High Performance

Computing, Service Provider

ASA 5585-SSP60

ASA low-end, including hardened FW for IOT/E

Cisco NGFW Product Family: Four Categories(Select Models Pictured)

New Appliances

Cisco Firepower™ 4100 Series and 9300

Virtual Appliances

ASAv FTDv


Cisco Firepower 4100 SeriesIntroducing four new high-performance models

Performance and Density Optimization Unified Management Multiservice

Security

• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)

• Radware DefensePro DDoS• ASA and other future

third party

• 10-Gbps and 40-Gbps interfaces

• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency

• Single management interface with Firepower Threat Defense

• Unified policy with inheritance• Choice of management

deployment options


Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense

containers:• NGIPS, AMP, URL, AVC

• Third-party containers:• Radware DDoS• Other ecosystem partners

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Benefits• Industry-leading performance:

• 600% higher performance• 30% higher port density

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice Security

High-speed, scalable security


Firepower Threat Defense


Fully Integrated Threat Focused Unified Management• FW / applications / IPS

• Cisco® AMP – network / endpoint

• Analysis and remediation

• Cisco security solutions

• Application-aware DDoS

• Networkwide visibility• Industry-best threat

protection• Known and unknown

threats• Track / contain / recover

• Across attack continuum• Manage, control, and

investigate• Automatically prioritize• Automatically protect

Introducing Cisco Firepower Threat Defense


New FeaturesFirePOWERASA

New Converged Software Image:Firepower Threat Defense

• Contains all Firepower Services plus select ASA capabilities

• Single Manager: Firepower Management Center*

Same subscriptions as FirePOWER Services, enabled by Smart Licensing:

• Threat (IPS + SI + DNS)• Malware (AMP + ThreatGrid)• URL Filtering

Converged Software – Firepower Threat Defense

* Also manages Firepower Appliances, Firepower Services (not ASA Software)


• Basic deployment modes: Firewall modes (choose one)• Routed • Transparent

• Other interface modes: IPS/IDS modes• Inline• Inline Tap• Passive

Deployment Modes


Firepower Threat Defense interface modes

Routed/TransparentA

B

C

D

F

G

H

I

Inline Pair 1

Inline Pair 2Inline Set

E J

Policy TablesPassive

Interfaces

Inline Tap


What Platforms run Firepower Threat Defense?

*5585-X ASA module management being investigated for 2HCY16

All* Managed by Cisco Firepower Management Center

Cisco Firepower Threat Defense on Firepower™ 4100

Series and 9300

Cisco FirePOWER Services on ASA 5585-X

Cisco FirePOWER on 7000/8000 Series Appliances

Cisco Firepower Threat Defense on ASA 5500-X

New Appliances


Cisco FirePOWER Threat Defense for ISR

Network Visibility

Granular App Control

Modern Threat Control

NGIPS

Security Intelligence

URL Filtering

BEFOREDiscover EnforceHarden

DURINGDetect Block Defend

AFTERScope

ContainRemediate

Visibility and AutomationOR

Cisco ISR G2 Series

FirePOWER Threat Defense

AppX + Security License

+

Cisco® 4000 Series ISR

Cisco UCS®


Retrospective Security

IoCs/Incident Response

Date post:	15-Jan-2017
Category:	Technology
Upload:	cisco-public-sector
View:	454 times
Download:	2 times

Threat focused ngfw navy tech day

Technology