ASA NGFW With IPS-Security 2

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.

ASA-NGFW with IPS

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

NGFW Services Review

Peregrine – What is new in NGFW

Policy Enhancements

IPS

Demonstration

Rate Limiting

Multi-mode

Warning Feature

Licensing and Pricing

Questions and Answers

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 3

NGFW Services Refresher


IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

Botnet Traffic Filter

TCP Proxy

TLS Proxy

AVC Multiple Policy Decision

Points

HTTP Inspection

URL Category/Reputation

NGFW IPS

NGFW Services Module

ASA Module


Broad AVC

Web AVC

Broad protocol support Resides in data plane Less granular control Supports:

Application types – for example email Applications – for example

Simple Mail Transfer Protocol

HTTP and decrypted HTTPS only More granular control Supports:

Application types – for example, Instant Messaging Applications – for example, Yahoo Messenger Application behavior – for example, File Transfer



Default web reputation profile Suspicious

(-10 through -6) Not suspicious (-5.9 through +10)

-10! +10!-5! +5!0!

Dedicated or hijacked sites!persistently distributing !key loggers, root kits and !other malware. Almost !guaranteed malicious.

Aggressive Ad syndication !and user tracking networks. !Sites suspected to be !malicious, but not confirmed!

Sites with some history of!Responsible behavior !or 3rd party validation!

Phishing sites, bots, drive !by installers. Extremely !likely to be malicious.!

Well managed, !Responsible content!Syndication networks and !user generated content!

Sites with long history of!Responsible behavior.!Have significant volume !and are widely accessed!


Used within polices

•  Utilized after the policy has been matched

File filtering profile

•  Blocks the download of specific MIME types •  Blocks the upload of specific MIME types

Web reputation profile

•  Specifies threshold value for web reputation filter •  Default profile sets threshold to -6

Next-generation IPS profile

•  Specifies threshold values for NGFW IPS •  Default: Block & Monitor 70, Allow & Monitor 40


•  Two separate sessions, separate certificates and keys

•  ASA CX acts as a CA, and issues a certificate for the web server

Corporate network

Web server

1. Negotiate algorithms.

1. Negotiate algorithms.

2. Authenticate server certificate. 3. Generate proxied

server certificate. 4. Client Authenticates “server” certificate.

5. Generate encryption keys.

5. Generate encryption keys.

6. Encrypted data channel established.

6. Encrypted data channel established.

ASA CX The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

Cert is generated dynamically with destination name but signed by ASA CX.


NGFW NEW

Peregrine Release


•  Support for Active/Standby PRSM can discover HA configuration and treat HA pair as a single device (policy configuration, reporting)

•  Next Generation IPS

•  Platform support Platform support has been added for SSP 40, 60 NGFW is now available on all midrange and all high-end models of ASA

Peregrine has added the following features:


•  Time ranges

•  Interface roles – collections of interfaces that can be used to construct policies

•  Rate limits

•  Safe Search

Note: Not all features are available for all types of policies.

Peregrine has added the following features:


•  Policy sets can have different scopes: ̶  Universal – policy set is shared by all devices ̶  Shared – policy set is shared among some devices ̶  Local – policy set only applies to one device

•  At the top is the universal top context-aware access policy set, applied first •  At the bottom is the universal bottom context-aware access policy set, applied last

New with NGFW 9.2


IPS


Available in Peregrine release

•  Policy driven by risk acceptance

•  Threats are the focus not signatures

•  IPS policy a part of the overall NGFW access policy

•  References Application Awareness

•  References source reputation

•  Daily hourly updates available:

Threats /Signatures

Reputation feeds Parsing engines

Simplified Operation Rich Policy Options Highly Dynamic


•  NGFW IPS Feature available through license

•  NGFW IPS ON/OFF switch

•  Blocking of traffic sourced from blacklisted IPs

•  Option to exclude high reputation traffic


•  Risk Based Control

•  3 ranges Block and Monitor Allow and Monitor Don’t Monitor

•  Customizable exceptions



•  Threat Profile Field

•  Use Custom IPS Profile or the Device Level profile

•  Different profiles can be applied to different subset of traffic

•  Selection criteria include 5-tuple, user and application




•  Important to remember:

•  At the Access policy view, Profiles are NOT visible

•  Access policies will have the “local” Device Level Profile automatically applied

•  Be certain to open the Profile tab of your Access policy to understand what is there

•  Do this for ALL Access policies


•  Threats •  Risk-focused settings •  Edge-focused coverage •  Automatic engine/

signature update •  Consumption of App ID and Web

Security data

•  Signatures •  Broad coverage •  Tunable and Custom signatures •  Wide range of Event Actions


Effective

Dedicated

Sim

ple

Integrated

D

C-ready

Cus

tom

izab

le


•  Threats What the attack is about – its target and potential impact 730+ Threats

•  Signatures The means of detecting a threat 950+ Signatures

•  Engines The parser that applies signatures to the traffic Borrowed / repurposed / improved – “different” Can be updated without a “dot” release – delivered with sig updates

•  Release Plans Expand beyond classic IPS default NGFW signatures will parallel classic IPS releases starting December, 1 day lag by February

Threats:

Signatures:

Engines

Release Plans


0

10

20

30

40

50

60

70

80

90

100

1 19

37

55

73

91

109

127

145

163

181

199

217

235

253

271

289

307

325

343

361

379

397

415

433

451

469

487

505

523

541

559

577

595

613

631

649

667

685

703

721

739

757

775

793

811

829

847

865

883

901

919

937

955

973

991

1009

10

27

1045

10

63

1081

10

99

1117

11

35

1153

11

71

1189

12

07

1225

12

43

1261

Threat Rating

Signature Count

NGFW - IPS IPS


Demonstration

Stijn Vanveerdeghem


Rate Limiting and Safe Search


New with NGFW 9.2

Allows context-aware access policies only

Limits bandwidth usage per policy

Excessive packets are dropped

Rate limit is an obligation attached to the policy

Allotted bandwidth is shared between all flows that match the policy

C97-729687-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

New with NGFW 9.2

Allows context-aware access policies only

Blocks searches on supported search engines if:

•  Safe Search is enabled in a matching access policy and Safe Search is disabled in a browser

Blocks searches on supported search engines if:

•  Google •  Yahoo •  Bing •  Ask •  Duckduckgo


• When a policy is installed, create a bucket to contain the traffic that hits the policy.

•  Several flows can match the policy. All of them are rate-limited using a single bucket.

•  The flows may match only after the evaluation from an Inspector (say HTTP or TLS). In those cases, the data-plane will wait for the flags to be set from the inspector before negotiating the flow to a bucket.

•  A change in policy, may result in removal of rate-limit obligation. Bucket exists till the flows exist.


TLS Enhancements


• 

Available with Peregrine release

•  Web reputation filtering can now be applied to HTTPS traffic •  Uses the FQDN from the certificate to determine the web reputation of the server

Web Reputation filtering support for HTTPS

Enforce certificate best practices


•  Aimed to improve “Connections per second” performance of Decryption Engine

•  Decryption Engine generated replacement certificates for every TLS connection.

•  Once generated replacement certificates are cached now and reused for following ssl requests to the same servers.

•  Decryption engine keeps a list of certificate authority certificates it trusts.

•  Existing CA list updated to match the CA’s trusted by Firefox browser (list posted by Mozilla)

Certificate Caching

Trusted CA list updated



CX support for Multimode ASA


•  Adds CX support for multimode ASA (routed, tfw or mixed).

•  Each context should configure CX redirection specifically.

•  CX as a single instance works with ASA by using vcid per transaction.

•  CX policies are global and applicable to all contexts on the ASA.

•  Active authentication is supported with auth proxy port configurable.

•  PRSM Events displays context names.

•  Interface roles are context aware.



Licensing and Pricing



Step 1: Which hardware is needed à ASA-X with SSD or ASA 5585-X with CX SSP Step 2: What service is needed à Application Visibility & Control, Web Security, NGFW IPS or Bundles Step 3: How long is the service needed à 1, 3, or 5 years

Hardware License Duration Application Visibility & Control (AVC)

Web Security Essentials (WSE)

Next-Generation Firewall IPS (NGFW IPS)

ASA 5512-X with SSD (ASA5512-SSD120-K8, ASA5512-SSD120-K9)

1 year ASA5512-AP1Y ASA5512-WS1Y ASA5512-IP1Y

3 years ASA5512-AP3Y ASA5512-WS3Y ASA5512-IP3Y










ASA 5545-X with SSD (ASA5545-2SSD120-K8, ASA5545-2SSD120-K9)









Hardware License Duration AVC+WSE AVC+NGFW IPS AVC+WSE+NGFW IPS ASA 5512-X with SSD

(ASA5512-SSD120-K8, ASA5512-SSD120-K9)

1 year ASA5512-AW1Y ASA5512-AI1Y ASA5512-AWI1Y

3 years ASA5512-AW3Y ASA5512-AI3Y ASA5512-AWI3Y


















Spare Solid State Drive (SSD) for existing ASA 5500-X customers

ASA5500X-SSD120=


Hardware License Duration Application Visibility & Control (AVC)

Web Security Essentials (WSE)

Next-Generation Firewall IPS (NGFW IPS)

ASA 5585-X CX SSP-10 (ASA5585-S10C10-K8, ASA5585-S10C10-K9, ASA5585-S10C10XK9)

1 year ASA5585-10-AP1Y ASA5585-10-WS1Y ASA5585-10-IP1Y

3 years ASA5585-10-AP3Y ASA5585-10-WS3Y ASA5585-10-IP3Y















Hardware License Duration AVC+WSE AVC+NGFW IPS AVC+WSE+NGFW IPS


1 year ASA5585-10-AW1Y ASA5585-10-AI1Y ASA5585-10-AWI1Y

3 years ASA5585-10-AW3Y ASA5585-10-AI3Y ASA5585-10-AWI3Y















Cisco Prime Security Manager VMWare Virtual Appliance PIDs Description

PRSMv9-SW-5-K9 Prime Security Manager - Software - 5 Device Management



PRSMV9-SW-50-K9 Prime Security Manager - Software - 50-Device Management

PRSMV9-SW-100-K9 Prime Security Manager - Software - 100-Device Management

Cisco Prime Security Manager VMWare Physical Appliance PIDs Description

PRSM-HW1-25-K9 Prime Security Manager - Appliance - 25 Device Management

PRSMv9-HW-50-K9 PRSM - Appliance - 50-Device Management

PRSMv9-HW-100-K9 PRSM - Appliance - 100-Device Management

•  VMWare ESX based virtual appliance or Physical appliance (bundles hardware and software)

•  Licensing based on the number of ASA NGFWs that will be managed using the product


Thanks

Documents

ASA NGFW With IPS-Security 2