Cisco Forum KyivCountry • Day Month Year
Global vision.Local knowledge.
William YoungSecurity Solutions Architect, Global Security Architecture TeamDecember 2018
Subtitle goes hereFirepower Next Generation Firewall
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The move to digital business has increased exposure to attacks
21BIoT devices
90%
2/3all IP traffic
80%of organizations not “fully aware” of the devices accessing their network
of all traffic will be encrypted
2020
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threats are constantly evolving and getting smarter
191 days time to detection
Motivated and targeted adversaries
Insider threatsIncreased attacksophistication
data breach averages
66 days time to contain
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3 Security Concerns of IT Leaders
They aren’t confident in their ability to prevent the next big breach.
Prevention
They lack visibility needed to be able to see and stop threats quickly.
Visibility
They have limited budgets, staff and time.Resources
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ask more from your firewall. Ask if it can…
Deep network and security visibility to
detect and stop threats fast
Automate operations to save time, reduce
complexity, and work smart
Prevent breaches automatically to keep the business moving
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prevent breaches automatically to keep the business moving
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
PRODUCTS & INTELLIGENCETalos is the intelligence backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
ESA | ClamAVSpamCopSenderBase
Email ReputationMalware ProtectionURL, Domain, IP ReputationPhishing ProtectionSpam Detection
Open Source
Snort RulesClamAV SigsClamAV
Vulnerability ProtectionMalware ProtectionPolicy & Control
End Point
AMPClamAV
Cloud & End Point IOCsMalware ProtectionIP Reputation
Cloud
OpenDNSCES
URL, Domain, IP ReputationMalware ProtectionAVC
Web
WSA
URL, Domain, IP ReputationMalware ProtectionAVC
Network
FirePower/ASAISRMeraki
Policy & Control
Malware ProtectionURL, Domain, IP ReputationVulnerability Protection
Services
ATAIR
Cloud & End Point IOCsMalware ProtectionURL, Domain, IP ReputationVulnerability ProtectionCustom Protection
Intelligence
ThreatGrid
Cloud & End Point IOCsMalware ProtectionURL, Domain, IP ReputationNetwork Protection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Product Protection Protection Protection
AMP
CWS N/AFirewall
Threat Grid
Umbrella N/AWSA N/A
NotPetyaJune 2017
WannaCryMay 2017
VPNFilterMay 2018
Cisco Firewalls have you covered
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence, URL Filtering, DNS Sinkhole
Block or allow access to URLs and domains
Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs
Category-basedPolicy Creation
Allow Block
AdminDNS Sinkhole
0100101010000100101101
Security feedsURL | IP | DNS
NGFWFiltering
BlockAllow
Safe Searchgambling
ü û
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next-Generation Intrusion Prevention System (NGIPS)
Understand threat details and quickly respond
Communications
App & Device Data
01011101001010
010001101 010010 10 10
Data packets
Prioritizeresponse
Blended threats
• Network profiling
• Phishing attacks
• Innocuous payloads
• Infrequent callouts
3
1
2
Accept
Block
Automate policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automated Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately; vulnerable
Event corresponds to vulnerability mapped to host
2Investigate; potentially vulnerable
Relevant port open or protocol in use, but no vulnerability
mapped
3Good to know; currently not
vulnerable
Relevant port not open or protocol
not in use
4 Good to know; unknown target
Monitored network, but unknown host
0 Good to know; unknown network
Unmonitored network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise (IoCs) Detection & Threat Correlation
IPS Events
Malware Backdoors CnC Connections
Exploit Kits Admin Privilege Escalations
Web App Attacks
SecurityIntelligence
Events
Connections to Known CnC IPs; DNS Servers, Suspect URLs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises Dropper Infections
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Recommendations Knows what I Do Not
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioralIndications
of Compromise
Threat Hunting
Retrospective Detection
Advanced Malware Protection (AMP)
Uncover hidden threats in the environment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP in Action
Who
What
Where
When
How
Focus on these users first
These applications are affected
The breach impacted these areas
This is the scope of exposure over time
Here is the origin and progression of the threat
Network and Endpoint CorrelationIN FIREPOWER MANAGEMENT CENTER
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4.6 HoursMedian time to detectionwith Cisco security*WeeksIndustry average time to detection
The results speak for themselves
* Source: Cisco 2018 Annual CyberSecurity Report
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deep network and security visibility to detect and stop threats fast
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
“You can’t protect against what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command and control
servers
Network servers
Users
File transfers
Web applications
Applicationprotocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID
Application Visibility & ControlProvide next-generation visibility into app usage
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database• 4,000+ pre-defined
appsNetwork & users
üû
û
ü
û
û
ü
1
2
Prioritize traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID - Crowdsourcing Application DetectionExtend AVC to proprietary and custom apps
Easily customize application detectors Detect custom and proprietary applications Share detectors with other users
Open-SourceSelf-Service
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Decrypt traffic in hardware and software
TLS/SSL decryption engineUncover hidden threats at the edge
Log
TLS decryption engine
Enforcement decisions
Encrypted Traffic
AVC
https://www.%$&^*#$@#$.com
https://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all TLS sessions
NGIPS
gambling
elicit
https://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.com
û
ü
û
ü
ü
ü
û
ü
û
û
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automate operations to save time, reduce complexity, and work smarter
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Save time and work smarter with NGFW automation
• Automated policy application and enforcement frees up time so you can focus on high priority items
• Automatic IPS tuning blocks more threats and reduces the volume of alerts
• Prioritized threat alerts show you where to focus on what matters
Automate operations to
save time, reduce
complexity, and work smarter
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Effective security requires an integrated approach with a Cisco firewall at its foundation
FirewallTetration
Web Security
Email Security Secure SD-WAN / RouterISR • CSR • ASR • vEDGE • Meraki MX
Identity Services Engine (ISE) +pxGRID
Umbrella+INVESTIGATE
Digital Network ArchitectureCATALYST • NEXUS •
MERAKI MSAIRONET/WLC • MERAKI MR
Firepower NGFW / Meraki MX
Cloudlock
AMP for Endpoints & Threat Grid
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec
Identity Services Engine (ISE)Ensure compliance before granting access
Set access control policies Propagate rules and context Remediate breaches automatically
pxGrid
Propagate• User Context
• Device Profile
• Access Policies
Employee Tag
Supplier Tag
Server Tag
Guest Tag
Quarantine Tag
Suspicious Tag
ISE
Policy automation
ISE
Establish a secure network
Management Console
BYOD
Guest Access
Segmentation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Intelligence DirectorIntegrate third-party security intelligence
Firepower Management Center
Ingest Security Intelligence
Generate Rich Incident ReportsCorrelate Observations Refine Security Posture
Ingest Observables
Cisco Security Sensors•Firepower NGFW •FirePOWER NGIPS•AMP
Threat IntelligenceDirector
CSVEvents
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device APIs and Events - Scale and Efficiency
CDO
API
FTD
Automation scripts
SIEM Homegrown or 3rd party tools
Event connector
FDMConnection, Security, AAA
ManagementEventing
CLIFMC
FMC
Syslog servers
New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure workloads consistently across the data center and public cloud
PrivatePublic
Internet usersInternet users accessing IaaSresources using translated IPs
Corporate users
Security Operations Center (SOC)
3rd party management tools(via REST-API)
Corporate data center
Firepower Management Center
IaaS
VPC
NGIPS, AVC, AMP
VPN
Access Control
IaaS vendormanagement console
Internet
NGFWv
Subnet 1 Subnet 2
Web Applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote and site-to-site VPNExtend security to remote users and branches
Extend access remotely Protect important data Maintain applicationperformance Support multiple sites
AnyConnect
IKEv2 support
Third-party VPN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SYN flood attacksDDoS attacksNonstandard packet attacks
Flood traffic
Prevent network and application downtime
Stop attacks within seconds of detection Block or allow traffic automatically
Maintain up to 42 Gbpstotal mitigation capacity
Handle 627,000connections per second
Block 5,400,000 packets of flood traffic per second
110101010101000101011011101010010010101010101001010101011101010010101101010101010001010110111010100100101010101010010101010111010101001010100101010111010101010100010101101110101001001010101
Legitimatetraffic
Network and applications
Cloud scrubber
Firepower DDoS MitigationAvailable on the Firepower 9300 and 4100 series appliances.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower NGFW Deployment & Management Options
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco has an NGFW solution for every business…
Small and Midsized Business Midrange Enterprise
ASA 5525-X/ ASA 5545-X/
ASA 5555-X
Firepower
2130/2140
Firepower
2110/2120
ASA 5506-X / 5506W-X / 5506H-X /
5508-X / 5516-X
Firepower
4110/4120/4140/4150 Firepower 9300
NGFWs for SMBs and distributed
enterprises with integrated threat defense,
a low TCO, and simplified security
management.
Enterprise-class security for the internet
edge, with superior threat defense,
sustained performance, and simple
management.
From the internet edge to carrier grade
security for data centers and other high-
performance settings, with multiservice
security, flexible architecture, and unified
management.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual and Cloud Solutions
Firewall
AVC
NGIPS
AMP
URL
VPN(IPSEC and SSL)
Managed by FMC and FDM
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inline or Passive Fail-to-wire NetMods Additional options
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
Pick from many deployment modesFirewall deployment modes
Available on 2100, 4100 and 9300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Link Scalability Distributed Plan Inter-site Clustering
Increasethroughput
Handle more connections Combine multiple
individual firewallsand manage as one
Deliver scalable performance across many sitesFirewall Clustering
Location A Location B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Instance for true Multi-Tenancy
• Firepower 4100 and 9300 only
• Instantiate multiple logical devices on a single module or appliance• Complete traffic processing and management separation
• CPU/memory/disk resources are dedicated to an instance at provisioning• Physical and logical interface and VLAN separation at Supervisor
44
Firepower 4100 or Firepower 9300 module
FTD Instance A4 CPU
FTD Instance B2 CPU
FTD Instance C12 CPU
FTD Instance D4 CPU
ASA Instance A (Future)12 CPU
Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel1.101-102Port-Channel2
New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flow Offload
45
New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Options
Cisco Defense Orchestrator (CDO)
Enables cloud-based policy management of multiple deployments
Cloud-based
Enables comprehensive security administration and
automation of multiple appliances
Firepower Management Center (FMC)
Centralized
Firepower Device Manager (FDM)
Enables easy on-box management of
common security and policy tasks
On-box
New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Manage across many sites Control access and set policies Investigate incidents Prioritize response
Firepower Management CenterCentralized management for multi-site deployments
Multi-domain management
Role-based access control
High availability
APIs and pxGrid integration
NGIPS
Firewall & AVC
AMP
Security Intelligence
…Available in physical and virtual options
Firepower Management Center (FMC)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Set up easily Control access and set policies Automate Configuration Enhanced Control
Firepower Device ManagerIntegrated on-box option for single instance deployment
Physical and virtual options
Easy set-up NAT and Routing
Role-based access control Intrusion and Malwareprevention
High availability Device monitoring
VPN support
Firepower Device Manager (FDM) New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Plan and model security policy changes before deploying them across the cloud
Deploy changes across virtual environments in real time or offline
Receive notifications about any unplanned changes to security policies and objects
• Import From Offline
• Discover Direct From Device
Device Onboarding
Object & Policy Analysis
Application, URL, Malware & Threat
Policy Management
Change Impact
Modeling
Security Templates
Simplify security policy management in the cloud with Cisco Defense Orchestrator Security
ReportsNotifications
Simple Search-Based Management
Security Policy Management
Cisco Defense Orchestrator (CDO) New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Address modern security needs and challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
With eight business-critical use cases
Campus NGFW Internet Edge Cloud Data Center Edge Local Data Center Edge
Acceptable Use ACI Integration Complex remote access Rapid Threat Containment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Extend secure access to other locations
I want to…
Internet
Stop threats from getting in by extending secure access to all users. Firewall Highlights
0100101010000100101101
Block
Allow
AVC NGIPS
• High bandwidth• High availability• Hardware and virtual options
SSL Decryption
Engine
#$%*
VPN
VPN
VPN
Firewall
Firewall Headquarters
Firewall
DistributedEnterprise
Branch
Remote user
Branch WAN and Remote Users
Firewall
Security feedsURL | IP | DNS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defend the network with Rapid Threat Containment
FirepowerManagement Center
ISE
Alerts
pxGrid
Automatic Isolation
I want to…www
Isolate compromised resources quickly before the problem grows.
TrustSec
Employee Tag
Supplier Tag
Guest Tag
Quarantine TagQuarantine Tag
Alerts
pxGrid Receive alert of intrusion eventIssue quarantine command
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration Options
FMC Based Migration
API Based Firepower
Migration Tool
New
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Takes away the pain of installing another FMC for migration• Independent windows executable • Independent releases with enhancements and bug fixes
API Based ASA To FTD Migration
Independent from FMC
• Supports migration of features supported in FMC Rest API• Will support migration to FDM in the future • Scalable
Rest API based
• Ability to edit the configuration being migrated • Pre and post migration reports • Live running logs, graceful error handling and resume from failure• Object conflict detection and resolution
Improved Workflow and reporting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
API Based Firepower Migration ToolEasy Deployment
Windows ExecutableChrome Browser
5585-X
FP4100 FP4100
Import
Reimage to FTD
.cfg/.txt
• 55xx, 2100, 4100, 9300, and Virtual• FMC 6.2.3+ and beyond
API
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy security in multiple environments flexibly with NGFW
Flexiblelicensing model
Openarchitecture
Consolidatedsecurity posturing
Consistentsecurity efficacy
APIs andautomation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Extending deployment opportunities• Multi-Instance• Air-gapped licensing• Unified Eventing and Contextual
Cross-launch• New Network Modules• ISA 3000 FTD enhancements• On-box Firepower Device Manage
(FDM) HA• Additional FDM enhancements• TLS in Hardware for the 2100
Key Features of the 6.3 Release
• CoA for RA VPN
• FQDN based network objects
• New migration tool
• Other Enhancements• Dynamic Flow Offload
• Clustering enhancements
• Backup and restore for RMA
• Snort restart improvements
• FMC REST API enhancements
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next steps
1
2
3
Learn more about whatFirepower NGFW can do for you at https://cisco.com/go/ngfw
Schedule a demo today for a hands-on experience at https://dcloud.cisco.com
Set up a POV to see how it can improve your network. Contact your local Cisco security representative
Thank You!